Abstract

In recent years there has been increased interest in detecting anomalies in network traffic data/audit logs for computer security. With the appearance of a masquerader, for example, any new anomalous behavior pattern may be observed in command line data, and it is an important issue to detect the emergence of such a pattern as early as possible. This paper addresses this issue of anomaly detection by dynamically selecting statistical models from data. Our goal is here not to select a single model over the data as in conventional statistical model selection, but to select a time series of optimal models efficiently, assuming that the true model may change over time. We call this approach dynamic model selection. We first propose a coding-theoretic criterion for dynamic model selection. Next, we propose two dynamic model selection algorithms attaining the minimum of the criteria and analyze their performance. Finally we demonstrate the validity of our algorithms through real application to masquerade detection using UNIX command sequences.

Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call