TINOpr oblems of importance in computer security are to I) detect the presence of an intruder masquerading as the valid user and 2) detect the perpetration of abusive actions on the part of an otherwise innocuous user. In this paper we present a machine learning approach to anomaly detection, desigined to handle these two problems. Our system learns a user profile for each user account and subsequently employs it to detect anomalous behavior in that account. Based on sequences of actions (UNIX commands) of the current user's input sti:earn, the system compares each fixed-length input sequence with a historical library of the account's command sequences using a similarity measure. Tlle system must learn to classify current behavior as consistent or anomalous with past behavior using only positive examples of the account's valid user. Our empirical results demonstrate that in most cases it is possib1.e to distingu. ish the legitimate user from an intruder and, furthermore, that an instance selection technique based on a memory page-replacement algorithm is capable of drastically reducing library size without hindering detection accuracy.


Application, Learning from positive examples, Sequen.ce learning

Date of this Version

February 1997