(An) approach to masquerade detection using support vector machine

Abstract

Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in masquerade detection. Although anomaly detection techniques have long been considered an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of Sup-port Vector Machine (SVM) in detecting masquerade activities using two different UNIX command sets. Concept of "common commands" was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1% and 94.8% of the time, while the previous studies reported the accuracy of 69.3% and 62.8%, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3% of the time while the previous study, using the same data set, reported 82.1% of accuracy. These combined experiments convincingly demonstrates that SVM is an effective approach to masquerade detection. As most sites, including those in military and intelligence domains, inevitably use Web and Web browsers to conduct their core business, ability to detect masqueraders in the Web environment is badly needed. We reports our experiments on masquerade detection based on Web sever logs collected from the KAIST Portal System, using SVM. When each Web server log entry was examined separately using per-request features such as IP and requested methods, almost all of masquerade activities were accurately detected, while false alarm rate remained very low at 3%. In spite of seemingly high performance, further analysis exhibited that IP is the only information that can be utilized and that all other pe...