Beruflich Dokumente
Kultur Dokumente
identified [11]. However, the problem of proper threshold implementation for support vector classification [12] and
setting was still left behind. Another study showed that the this was selected for unordered classification. The
composition of two kernel methods was shown to improve SVMHMM (Support Vector Machines Hidden Markov
the detection accuracy while minimizing the false alarm rate Model) is an implementation of SVMs for sequence tagging
slightly [8]. [13] and it was selected for ordered classification.
The overall results of the tests that we have conducted are
3. Empirical Study and Experimental Results presented in Figure 1 and Figure 2. Figure 1 shows
detection rates when different threshold (TH) values, 35%,
As we surveyed in the previous section, the SVM has
50%, and 70%, were applied to each SVM and Figure 2
been popularly employed in masquerade detection.
shows their corresponding false alarm rates. Note that both
Nevertheless, these studies mainly focused on demonstrating
detection rates and false alarm rates are increased when the
the superiority of the proposed model when compared to
instance length gets longer. Detailed analysis of our findings
other approaches. The main purpose of our research is to
are described in sections 3.2 ~ 3.4.
provide a guideline for modeling an ideal set of features in
utilizing the SVM so that the effectiveness of masquerade
detection can be maximized. Our study analyzes the
performance of masquerade detection with respect to three
parameters: threshold levels, the type of classifiers, and the
length of instances. Section 3.1 describes our experimental
design and overall test results.
3.3 Dataset and Experimental Design
We used the most popular dataset provided by Schonlau
et al. for our experiments. This dataset is called the SEA
data and it includes 15,000 UNIX commands for each of 50
users [7]. We believed that the sequence of UNIX
commands were a good identifier to determine the identity
of each user. This approach was widely used by many
researchers [8], [9], [11]. The sequence of commands was
parsed and partitioned to generate meaningful subgroups Figure 1. Comparison of detection rates
which were fed to the SVM. That is, each user's command
history in the dataset was divided into multiple files which
were broken down into two distinct categories: training data
and test data. Commands were first taken from the dataset to
compile a 500 line file for training on the appropriate SVM
which generated a profile for each user. Next, multiple files
were generated for each sequence length, 4 to 13, for the
purpose of identifying the effectiveness in terms of sequence
length. Each user's profile was then trained on the
appropriate SVM, and the profile was used to classify each
test file for each user. For each user, 500 tests were
conducted.
We analyzed detection rates by classifying a user's profile
against other user's test files. Comparing a user’s test data
against his (or her) own normal profile generated false
alarms. Data was then collected to determine the average Figure 2. Comparison of false alarm rates
detection rate and false alarm rate for each user in terms of
different instance lengths. This data was further extended 3.4 Threshold values
into three threshold values: 35%, 50%, and 70%. This in The threshold value represents the selected minimum
turn was averaged to determine the average detection rate matching percentage so that the audited behavior can be
and false alarm rate for each sequence length. That way, we classified as a masquerade attack or not. Determining an
could determine the relationship between the threshold level appropriate threshold level directly affects the performance
and the performance of masquerade detection. of the system. That is, in general, the raise in the threshold
value causes the increase in both detection rates and false
Different types of classifiers were used for SVMs and we
alarms. Figure 3 and Figure 4 show the average detection
classified the types of classifiers into two distinctive groups:
rates and false alarm rates when three threshold values,
ordered and unordered. The order of the command sequence 35%, 50%, and 70%, were applied to each SVM.
is considered in ordered classifiers whereas it is not taken Our testing showed that threshold values had a profound
into account in unordered classifiers. The LIBSVM (a effect on detection and false alarm rates. Increasing the
Library for Support Vector Machines) is an integrated
78 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010
threshold value increased both detections and false alarms. Figure 2). False alarm rates differed by 26 points at
Although the lowest threshold, 35%, had the lowest sequence lengths four and 18 points at length five.
detection rates, this threshold produced minimal false Note that the SVMHMM outperformed the LIBSVM in
alarms in testing (see Figure 3 and Figure 4). Much higher most cases with respect to detection rates when the instance
detection rates were seen at a threshold of 50% than at a lengths were less than 10 (see Figure 1). However, as the
threshold of 35%. While detection rates as high as 93.3% instance length was increased, the performance of both
(SVMHMM) and 96.3% (LIBSVM) were achieved at a SVMs converged at length 10. The performance degradation
threshold level of 70%, this was at a cost of a high false in the SVMHMM seems to be caused by the increasing
alarm rate, 83.5% (SVMHMM) and 89.1% (LIBSVM) particularity as the instance lengths become too long. This is
respectively. Thus, a threshold of 70% or higher is seen as because it is less likely that users always enter a long series
impractical for use due to the excessively high false alarm of commands in the exactly same pattern.
rates. The performance of the LIBSVM, however, turned out to
be less relevant to the instance lengths and this behavior is
shown in Figure 1 and Figure 2. The reason behind this
phenomenon is that the specific order of commands entered
by users is not considered in the LIBSVM. Therefore, there
is no significant change in the performance as the instance
length varies.
3.6 Instance lengths
In order to determine the effect of applying different
instance lengths, we classified the employed instance
lengths into three groups: Short (lengths of 4 ~ 6), Medium
(lengths of 7 ~ 9), and Long (lengths of 10 ~ 13). Testing
results are averaged and redrawn using these groups and
they are represented in Figure 5, 6, 7, and 8.
a smaller instance length is desirable in order to maintain attractive to use a medium length instance; note that there
lower false alarm rates. was a 21.86% increase in the detection rate (see Figure 9)
As we previously mentioned in section 3.3, the when the instance was lengthened from short to medium.
performance of the LIBSVM is less affected by the instance
length (see Figure 7 and Figure 8). Note that there was a 4. Conclusion
slight benefit in the detection rate as the instance lengths
increased under the 35% threshold setting. There have been many approaches in tackling
masquerade attacks. However, these studies primarily
focused on demonstrating the advantage of the proposed
model when compared to other approaches. The main goal
of our research is to investigate the effectiveness of
masquerade detection using SVMs. We analyzed the
performance of masquerade detection with respect to three
parameters: threshold levels, the type of classifiers, and the
length of instances.
In conclusion, no parameters that were selected and tested
were able to improve detection rates while decreasing false
alarms. In all tests, increased detection rates correlate to
increased false alarm rates. However, masquerade detection
using sequence classification was more successful when
limiting false alarms with the use of smaller instance
lengths. Increasing threshold values to a 70% showed little
Figure 7. Analysis of detection rates (LIBSVM) benefit since false alarm rates increased significantly with
only slight increase in detection rates. This study shows that
there is an advantage of using smaller instance lengths
applied to a classifier which considers the order as an effort
to minimize false alarm rates. If maximizing detection
capability is the main goal, the type of a classifier is less
relevant. Instead, it is desirable to use a longer instance at
the sufficient level of threshold where reasonable limits of
false alarms can be retained.
Finally, a new dataset, if any, could be used in order to
support and reinforce the validity of our findings. This
research will help to provide a principle for modeling an
ideal set of rules so that the effectiveness of masquerade
detection can be maximized.