One-Class Training for Masquerade Detection

Wang, Ke; Stolfo, Salvatore

We extend prior research on masquerade detection using UNIX commands issued by users as the audit source. Previous studies using multi-class training requires gathering data from multiple users to train specific profiles of self and non-self for each user. One-class training uses data representative of only one user. We apply one-class Naïve Bayes using both the multivariate Bernoulli model and the Multinomial model, and the one class SVM algorithm. The result shows that one-class training for this task works as well as multi-class training, with the great practical advantages of collecting much less data and more efficient training. One-class SVM using binary features performs best among the one-class training algorithms.



More About This Work

Academic Units
Computer Science
Published Here
April 30, 2010


Presented at ICDM Workshop on Data Mining for Computer Security, Melbourne, FL, November 19, 2003.