Learning User Models for Computer Intrusion Detection: Preliminary Results from Natural Induction Approach
Files
Date
2005-11
Authors
Michalski, Ryszard S.
Kaufman, Kenneth A.
Pietrzykowski, Jaroslaw
Śnieżyński, Bartłomiej
Wojtusiak, Janusz
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
This paper presents a description of the LUS method for creating models (signatures) of computer users from datastreams that characterize users' interactions with computers, and the results of initial experiments with this method. By applying the models to new user activities, the system can detect an imposter, or verify a user’s legitimate activity. In this research, original datastreams are lists of records extracted from the operating system’s process table. The learned user signatures (LUS) are primarily in the reported results in the form of sets of multistate templates (MTs), each characterizing one pattern in the user’s behavior. Advantages of the method include the significant expressive power of the representation (a single template can characterize a large number of different user behaviors) and the ease of their interpretation, which makes possible their editing or enhancement by an expert. Presented initial results show a great promise and power of the method.
Description
Keywords
Intrusion detection, Machine learning, Rule learning
Citation
Michalski, R. S., Kaufman, K., Pietrzykowski, J., Śnieżyński, B. and Wojtusiak, J., "Learning User Models for Computer Intrusion Detection: Preliminary Results from Natural Induction Approach," Reports of the Machine Learning and Inference Laboratory, MLI 05-3, George Mason University, Fairfax, VA, November, 2005.