One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses
- One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses
- Heller, Katherine
Keromytis, Angelos D.
- Computer Science
- Persistent URL:
- Presented at ICDM Workshop on Data Mining for Computer Security, Melbourne, FL, November 19, 2003.
- We present a new Host-based Intrusion Detection System (IDS) that monitors accesses to the Microsoft Windows Registry using Registry Anomaly Detection (RAD). Our system uses a one class Support Vector Machine (OCSVM) to detect anomalous registry behavior by training on a dataset of normal registry accesses. It then uses this model to detect outliers in new (unclassified) data generated from the same system. Given the success of OCSVMs in other applications, we apply them to the Windows Registry anomaly detection problem. We compare our system to the RAD system using the Probabilistic Anomaly Detection (PAD) algorithm on the same dataset. Surprisingly, we find that PAD outperforms our OCSVM system due to properties of the hierarchical prior incorporated in the PAD algorithm. In the future, these properties may be used to develop an improved kernel and increase the performance of the OCSVM system.
- Computer science
- Item views
text | xml
- Suggested Citation:
- Katherine Heller, Krysta Svore, Angelos D. Keromytis, Salvatore Stolfo, 2003, One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses, Columbia University Academic Commons, https://doi.org/10.7916/D85M6CFF.