One-class classifiers : a review and analysis of suitability in the context of mobile-masquerader detection

One-class classifiers employing for training only the data from one class are justified when the data from other classes is difficult to obtain. In particular, their use is justified in mobile-masquerader detection, where user characteristics are classified as belonging to the legitimate user class or to the impostor class, and where collecting the data originated from impostors is problematic. This paper systematically reviews various one-class classification methods, and analyses their suitability in the context of mobile-masquerader detection. For each classification method, its sensitivity to the errors in the training set, computational requirements, and other characteristics are considered. After that, for each category of features used in masquerader detection, suitable classifiers are identified.

[1]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[2]  Sushil Jajodia,et al.  ADAM: a testbed for exploring the use of data mining in intrusion detection , 2001, SGMD.

[3]  David H. Wolpert,et al.  The Mathematics of Generalization: The Proceedings of the SFI/CNLS Workshop on Formal Approaches to Supervised Learning , 1994 .

[4]  Robert P. W. Duin,et al.  Support objects for domain approximation , 1998 .

[5]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  David M. J. Tax,et al.  One-class classification , 2001 .

[7]  Nong Ye,et al.  A Markov Chain Model of Temporal Behavior for Anomaly Detection , 2000 .

[8]  Surajit Chaudhuri,et al.  Self-tuning histograms: building histograms without looking at data , 1999, SIGMOD '99.

[9]  Robert P. W. Duin,et al.  Support Vector Data Description , 2004, Machine Learning.

[10]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[11]  Teuvo Kohonen,et al.  The self-organizing map , 1990 .

[12]  Robert P. W. Duin,et al.  Data domain description using support vectors , 1999, ESANN.

[13]  Carla E. Brodley,et al.  Machine learning techniques for the computer security domain of anomaly detection , 2000 .

[14]  Jaakko Hollmén,et al.  User profiling and classification for fraud detection in mobile communications networks , 2000 .

[15]  Qiang Chen,et al.  Computer intrusion detection through EWMA for autocorrelated and uncorrelated data , 2003, IEEE Trans. Reliab..

[16]  Graham J. Williams,et al.  On-Line Unsupervised Outlier Detection Using Finite Mixtures with Discounting Learning Algorithms , 2000, KDD '00.

[17]  Robert P. W. Duin,et al.  The economics of classification: error vs. complexity , 2002, Object recognition supported by user interaction for service robots.

[18]  Eric R. Ziegel,et al.  The Elements of Statistical Learning , 2003, Technometrics.

[19]  Roberto J. Bayardo,et al.  Mining the most interesting rules , 1999, KDD '99.

[20]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[21]  Sergio M. Savaresi,et al.  Unsupervised learning techniques for an intrusion detection system , 2004, SAC '04.

[22]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[23]  Mika Raento,et al.  ContextPhone: Platform for Context-Aware Mobile Applications , 2005 .

[24]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[25]  Sung-Bae Cho,et al.  Efficient anomaly detection by modeling privilege flows using hidden Markov model , 2003, Comput. Secur..

[26]  Mika Raento,et al.  Evaluating Classifiers for Mobile-Masquerader Detection , 2006, SEC.

[27]  Nathalie Japkowicz,et al.  Concept learning in the absence of counterexamples: an autoassociation-based approach to classification , 1999 .

[28]  Jr. J.P. Campbell,et al.  Speaker recognition: a tutorial , 1997, Proc. IEEE.

[29]  M. Shyu,et al.  A Novel Anomaly Detection Scheme Based on Principal Component Classifier , 2003 .

[30]  Salvatore J. Stolfo,et al.  One-Class Training for Masquerade Detection , 2003 .

[31]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[32]  Heekuck Oh,et al.  Neural Networks for Pattern Recognition , 1993, Adv. Comput..

[33]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[34]  Salvatore J. Stolfo,et al.  One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses , 2003 .

[35]  Jaideep Srivastava,et al.  A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection , 2003, SDM.

[36]  David J. Marchette A Statistical Method for Profiling Network Traffic , 1999, Workshop on Intrusion Detection and Network Monitoring.

[37]  Qiang Chen,et al.  An anomaly detection technique based on a chi‐square statistic for detecting intrusions into information systems , 2001 .

[38]  Geoffrey E. Hinton,et al.  A View of the Em Algorithm that Justifies Incremental, Sparse, and other Variants , 1998, Learning in Graphical Models.

[39]  Christopher M. Bishop,et al.  Novelty detection and neural network validation , 1994 .

[40]  David G. Stork,et al.  Pattern classification, 2nd Edition , 2000 .

[41]  Heikki Mannila,et al.  Finding interesting rules from large sets of discovered association rules , 1994, CIKM '94.

[42]  Carla E. Brodley,et al.  An Empirical Study of Two Approaches to Sequence Learning for Anomaly Detection , 2003, Machine Learning.

[43]  Peter J. Haas,et al.  Improved histograms for selectivity estimation of range predicates , 1996, SIGMOD '96.

[44]  Connie M. Borror,et al.  EWMA techniques for computer intrusion detection through anomalous changes in event intensity , 2002 .

[45]  Geoffrey E. Hinton Connectionist Learning Procedures , 1989, Artif. Intell..

[46]  L. Williams,et al.  Contents , 2020, Ophthalmology (Rochester, Minn.).

[47]  Seppo Puuronen,et al.  Characteristics and Measures for Mobile-Masquerader Detection , 2004, IICIS.

[48]  David S. Stoffer,et al.  Time series analysis and its applications , 2000 .

[49]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[50]  Ramakrishnan Srikant,et al.  Fast algorithms for mining association rules , 1998, VLDB 1998.

[51]  Jaideep Srivastava,et al.  Selecting the right interestingness measure for association patterns , 2002, KDD.

[52]  H. Javitz,et al.  IDES : The Enhanced Prototype A Real-Time Intrusion-Detection Expert System , 1988 .

[53]  Sameer Singh,et al.  Novelty detection: a review - part 2: : neural network based approaches , 2003, Signal Process..

[54]  Eamonn J. Keogh,et al.  Towards parameter-free data mining , 2004, KDD.

[55]  Michael I. Jordan Learning in Graphical Models , 1999, NATO ASI Series.

[56]  David H. Wolpert,et al.  The Relationship Between PAC, the Statistical Physics Framework, the Bayesian Framework, and the VC Framework , 1995 .

[57]  Ricardo Staciarini Puttini,et al.  A Bayesian Classification Model for Real‐Time Intrusion Detection , 2003 .

[58]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[59]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[60]  Robert H. Shumway,et al.  Time Series Analysis and Its Applications (Springer Texts in Statistics) , 2005 .

[61]  Naftali Z. Tisby On the application of mixture AR hidden Markov models to text independent speaker recognition , 1991, IEEE Trans. Signal Process..

[62]  D. Rubin,et al.  Maximum likelihood from incomplete data via the EM - algorithm plus discussions on the paper , 1977 .

[63]  Bernhard Schölkopf,et al.  Support Vector Method for Novelty Detection , 1999, NIPS.

[64]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[65]  Dit-Yan Yeung,et al.  Parzen-window network intrusion detectors , 2002, Object recognition supported by user interaction for service robots.

[66]  Luigi Palopoli,et al.  On the Complexity of Mining Association Rules , 2001, SEBD.

[67]  Martin Lauer,et al.  A Mixture Approach to Novelty Detection Using Training Data with Outliers , 2001, ECML.

[68]  David G. Stork,et al.  Pattern Classification , 1973 .

[69]  Carla E. Brodley,et al.  Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.

[70]  Sameer Singh,et al.  Novelty detection: a review - part 1: statistical approaches , 2003, Signal Process..

[71]  Yuxin Ding,et al.  Host-based intrusion detection using dynamic and static behavioral models , 2003, Pattern Recognit..

[72]  Richard W. Madsen,et al.  Markov Chains: Theory and Applications , 1976 .

[73]  Olli Simula,et al.  A Self-Organizing Map for Clustering Probabilistic Models , 1999 .

[74]  Salvatore J. Stolfo,et al.  Using artificial anomalies to detect unknown and known network intrusions , 2001, Proceedings 2001 IEEE International Conference on Data Mining.

[75]  Mika Raento,et al.  ContextContacts: re-designing SmartPhone's contact book to support mobile awareness and collaboration , 2005, Mobile HCI.