HomeHome

One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses

Katherine Heller; Krysta Svore; Angelos D. Keromytis; Salvatore Stolfo

Title:
One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses
Author(s):
Heller, Katherine
Svore, Krysta
Keromytis, Angelos D.
Stolfo, Salvatore
Date:
Type:
Articles
Department(s):
Computer Science
Persistent URL:
Notes:
Presented at ICDM Workshop on Data Mining for Computer Security, Melbourne, FL, November 19, 2003.
Abstract:
We present a new Host-based Intrusion Detection System (IDS) that monitors accesses to the Microsoft Windows Registry using Registry Anomaly Detection (RAD). Our system uses a one class Support Vector Machine (OCSVM) to detect anomalous registry behavior by training on a dataset of normal registry accesses. It then uses this model to detect outliers in new (unclassified) data generated from the same system. Given the success of OCSVMs in other applications, we apply them to the Windows Registry anomaly detection problem. We compare our system to the RAD system using the Probabilistic Anomaly Detection (PAD) algorithm on the same dataset. Surprisingly, we find that PAD outperforms our OCSVM system due to properties of the hierarchical prior incorporated in the PAD algorithm. In the future, these properties may be used to develop an improved kernel and increase the performance of the OCSVM system.
Subject(s):
Computer science
Item views
797
Metadata:
text | xml
Suggested Citation:
Katherine Heller, Krysta Svore, Angelos D. Keromytis, Salvatore Stolfo, , One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses, Columbia University Academic Commons, .

Columbia University Libraries | Policies | FAQ