A comparative evaluation of two algorithms for Windows Registry Anomaly Detection

Stolfo, Salvatore J.; Apap, Frank; Eskin, Eleazar; Heller, Katherine; Hershkop, Shlomo; Honig, Andrew; Svore, Krysta M.

doi:10.3233/jcs-2005-13403

Cited by 43 publications

(26 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Stolfo et al [32] introduced a general purpose algorithm for anomaly detection (in windows environment), the Probabilistic Anomaly Detection (PAD) algorithm, that assumes anomalies or noise are a rare event in the training data.…”

Section: Related Workmentioning

confidence: 99%

“…In anomaly detection one class SVM algorithm (OCSVM) is used [32]. OCSVM builds a model from training on normal data and then classifies a test data as benign or anomaly based on geometric deviations from normal training data.…”

Section: Related Workmentioning

confidence: 99%

“…OCSVM builds a model from training on normal data and then classifies a test data as benign or anomaly based on geometric deviations from normal training data. Wang and Stolfo et al [32] showed, for masquerade detection, one-class SVM training is as effective as two-class training. The authors have investigated SVMs using binary features and frequency based features.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Supervised Learning for Insider Threat Detection Using Stream Mining

Parveen¹,

Weger²,

Thuraisingham³

et al. 2011

2011 IEEE 23rd International Conference on Tools With Artificial Intelligence

View full text Add to dashboard Cite

Abstract-Insider threat detection requires the identification of rare anomalies in contexts where evolving behaviors tend to mask such anomalies. This paper proposes and tests an ensemble-based stream mining algorithm based on supervised learning that addresses this challenge by maintaining an evolving collection of multiple models to classify dynamic data streams of unbounded length. The result is a classifier that exhibits substantially increased classification accuracy for real insider threat streams relative to traditional supervised learning (traditional SVM and one-class SVM) and other single-model approaches.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Supervised Learning for Insider Threat Detection Using Stream Mining

Parveen¹,

Weger²,

Thuraisingham³

et al. 2011

2011 IEEE 23rd International Conference on Tools With Artificial Intelligence

View full text Add to dashboard Cite

show abstract

“…File Accesses Layer We implement a anomaly detector that monitors file system calls to detect anomalous accesses based on prior work [22]. We use Auditd [23], the default Linux auditing system, to audit file system accesses, and an unsupervised machine learning system to compute normal models for those accesses.…”

Section: Security Controlsmentioning

confidence: 99%

“…PAD calculates first order and second order probability for each of the 6 features giving a total of 36 probability values for each file access entry. An alert score is then computed using a multinomial model with a hierarchical prior based on dirichlet distribution, and log probabilities are used at each step to avoid underflows [22].…”

Section: Security Controlsmentioning

confidence: 99%

Synthetic Data Generation and Defense in Depth Measurement of Web Applications

Boggs

Zhao

et al. 2014

Research in Attacks, Intrusions and Defenses

Self Cite

View full text Add to dashboard Cite

Abstract. Measuring security controls across multiple layers of defense requires realistic data sets and repeatable experiments. However, data sets that are collected from real users often cannot be freely exchanged due to privacy and regulatory concerns. Synthetic datasets, which can be shared, have in the past had critical flaws or at best been one time collections of data focusing on a single layer or type of data. We present a framework for generating synthetic datasets with normal and attack data for web applications across multiple layers simultaneously. The framework is modular and designed for data to be easily recreated in order to vary parameters and allow for inline testing. We build a prototype data generator using the framework to generate nine datasets with data logged on four layers: network, file accesses, system calls, and database simultaneously. We then test nineteen security controls spanning all four layers to determine their sensitivity to dataset changes, compare performance even across layers, compare synthetic data to real production data, and calculate combined defense in depth performance of sets of controls.

show abstract

Naive Bayes as a Masquerade Detector: Addressing a Chronic Failure

Killourhy

Maxion

Insider Attack and Cyber Security

View full text Add to dashboard Cite

A comparative evaluation of two algorithms for Windows Registry Anomaly Detection

Cited by 43 publications

References 27 publications

Supervised Learning for Insider Threat Detection Using Stream Mining

Supervised Learning for Insider Threat Detection Using Stream Mining

Synthetic Data Generation and Defense in Depth Measurement of Web Applications

Naive Bayes as a Masquerade Detector: Addressing a Chronic Failure

Contact Info

Product

Resources

About