Temporal sequence learning and data reduction for anomaly detection

@inproceedings{Lane1998TemporalSL,
  title={Temporal sequence learning and data reduction for anomaly detection},
  author={Terran Lane and Carla E. Brodley},
  booktitle={CCS '98},
  year={1998}
}
The anomaly-detection problem can be formulated as one of learning to characterize the behaviors of an individual, system, or network in terms of temporal sequences of discrete data. We present an approach on the basis of instance-based learning (IBL) techniques. To cast the anomaly-detection task in an IBL framework, we employ an approach that transforms temporal sequences of discrete, unordered observations into a metric space via a similarity measure that encodes intra-attribute dependencies… Expand
Temporal sequence learning and data reduction for anomaly detection
TLDR
An approach that transforms temporal sequences of discrete, unordered observations into a metric space via a similarity measure that encodes intra-attribute dependencies and demonstrates that it can accurately differentiate the profiled user from alternative users when the available features encode sufficient information. Expand
An Empirical Study of Two Approaches to Sequence Learning for Anomaly Detection
TLDR
It is found that over both model classes and a wide range of model scales, there is no significant difference in performance at recognizing the profiled user, and is taken as evidence that, in this security domain, limited memory models can learn only part of the user identity information. Expand
Behavioral feature extraction for network anomaly detection
TLDR
Empirical results using unsupervised learning show that models based on behavioral features can achieve higher classification accuracies with markedly lower false positive rates than their traditional packet header feature counterparts. Expand
Data Reduction Techniques for Instance-Based Learning from Human/Computer Interface Data
TLDR
An instance-based learning (IBL) system for profiling users, and empirically examine the data reduction performance of two clustering methods – an EM procedure, K-centers, and a greedy clustering method developed to address domain characteristics. Expand
Anomaly Detection for Discrete Sequences: A Survey
TLDR
This survey attempts to provide a comprehensive and structured overview of the existing research for the problem of detecting anomalies in discrete/symbolic sequences and reveals new variants and combinations that have not been investigated before for anomaly detection. Expand
Effectively Generating Frequent Episode Rules for Anomaly-based Intrusion Detection *
Datamining is a useful tool for building classifiers to distinguish intrusive behavior from normal network traffic. In this paper, we provide new pruning techniques for the reduction of frequentExpand
Benchmarking anomaly-based detection systems
  • R. Maxion, K. Tan
  • Computer Science
  • Proceeding International Conference on Dependable Systems and Networks. DSN 2000
  • 2000
TLDR
A metric for characterizing structure in data environments is introduced, and the hypothesis that intrinsic structure influences probabilistic detection is tested, indicating that current approaches to anomaly detection may not be universally dependable. Expand
Anomaly detection for symbolic sequences and time series data
TLDR
This thesis develops several novel anomaly detection techniques which can be used to detect anomalies which translate to critical events in domains such as aircraft safety, intrusion detection, and patient health management and provides extensive experimental evaluation of the proposed techniques. Expand
TR 09-015 Anomaly Detection for Discrete Sequences : A Survey
TLDR
This survey attempts to provide a comprehensive and structured overview of the existing research for the problem of detecting anomalies in discrete sequences and highlights the applicability of the techniques that handle discrete sequences to other related areas such as online anomaly detection and time series anomaly detection. Expand
An Adaptive Classification Framework for Data Streaming Anomaly Detection
TLDR
This work proposes a framework and a process assisting system designers, finding the optimal methods for the case at hand, and demonstrates the approach with a case study of meteorological data collected over 15 years to classify and detect anomalies in new data. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 88 REFERENCES
Sequence Matching and Learning in Anomaly Detection for Computer Security
Two problems of importance in computer security are to 1) detect the presence of an intruder masquerading as the valid user and 2) detect the perpetration of abusive actions on the part of anExpand
Approaches to Online Learning and Concept Drift for User Identification in Computer Security
TLDR
A method for measuring direction and magnitude of concept drift in the classification space is demonstrated and approaches to the above stated issues which make use of the drift measurement are evaluated. Expand
An Application of Machine Learning to Anomaly Detection
TLDR
A machine learning approach to anomaly detection that builds user profiles based on command sequences and compares current input sequences to the profile using a similarity measure and demonstrates that this is a promising approach to distinguishing the legitamate user from an intruder. Expand
Hidden Markov Models for Human/Computer Interface Modeling
TLDR
It is demonstrated that, for most of the user population, a singlestate model is inferior to the multi- state models, and that, within multi-state models, those with more states tend to model the pro led user more e ectively but imposters less than do smaller models, consistent with the interpretation that larger models are necessary to capture high degrees of user behavioral complexity. Expand
EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances
The EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances) environment is a distributed scalable tool suite for tracking malicious activity through and across large networks.Expand
Filtering Techniques for Rapid User Classification
TLDR
A study of the use of noise suppression filters as componants of a learning classification system for anomaly detection and finds that the median filter is generally to be preferred for this domain. Expand
An Intrusion-Detection Model
  • D. Denning
  • Computer Science
  • IEEE Transactions on Software Engineering
  • 1987
A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis thatExpand
GrIDS A Graph-Based Intrusion Detection System for Large Networks
TLDR
The design of GrIDS (Graph-Based Intrusion Detection System) is presented, which allows large-scale automated or co-ordinated attacks to be detected in near real-time and allows network administrators to state policies specifying which users may use particular services of individual hosts or groups of hosts. Expand
Mining Sequential Patterns: Generalizations and Performance Improvements
TLDR
This work adds time constraints that specify a minimum and/or maximum time period between adjacent elements in a pattern, and relax the restriction that the items in an element of a sequential pattern must come from the same transaction. Expand
A Decision-Theoretic Generalization of On-Line Learning and an Application to Boosting
TLDR
The model studied can be interpreted as a broad, abstract extension of the well-studied on-line prediction model to a general decision-theoretic setting, and it is shown that the multiplicative weight-update Littlestone?Warmuth rule can be adapted to this model, yielding bounds that are slightly weaker in some cases, but applicable to a considerably more general class of learning problems. Expand
...
1
2
3
4
5
...