Machine Learning for Host-based Anomaly Detection

Author

Gaurav Tandon, Florida Institute of Technology

Date of Award

5-2008

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

Computer Engineering and Sciences

First Advisor

Philip K. Chan

Second Advisor

Debasis Mitra

Third Advisor

Marius C. Silaghi

Fourth Advisor

Georgios C. Anagnostopoulos

Abstract

Anomaly detection techniques complement signature based methods for intrusion detection. Machine learning approaches are applied to anomaly detection for automated learning and detection. Traditional host-based anomaly detectors model system call sequences to detect novel attacks. This dissertation makes four key contributions to detect host anomalies. First, we present an unsupervised approach to clean training data using novel representations for system call sequences. Second, supervised learning with system call arguments and other attributes is proposed for enriched modeling. Third, techniques to increase model coverage for improved accuracy are presented. Fourth, we propose spatio-temporal modeling to detect suspicious behavior for mobile hosts. Experimental results on various data sets indicate that our techniques are more effective than traditional methods in capturing attack-based host anomalies. Additionally, our supervised methods create succint models and the computational overhead incurred is reasonable for an online anomaly detection system.

Comments

Copyright held by author

Recommended Citation

Tandon, Gaurav, "Machine Learning for Host-based Anomaly Detection" (2008). Theses and Dissertations. 685.
https://repository.fit.edu/etd/685