Automatic feature selection for anomaly detection

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Automatic feature selection for anomaly detection

Full text

Pdf (306 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 1st ACM workshop on Workshop on AISec table of contents

Alexandria, Virginia, USA

SESSION: Malware and network security table of contents

Pages 71-76

Year of Publication: 2008

ISBN:978-1-60558-291-7

Authors

Marius Kloft	TU Berlin, Berlin, Germany
Ulf Brefeld	TU Berlin, Berlin, Germany
Patrick Düessel	Fraunhofer Institute FIRST, Berlin, Germany
Christian Gehl	Fraunhofer Institute FIRST, Berlin, Germany
Pavel Laskov	Fraunhofer Institute FIRST, Berlin, Germany

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 8, Downloads (12 Months): 136, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1456377.1456395 What is a DOI?

ABSTRACT

A frequent problem in anomaly detection is to decide among different feature sets to be used. For example, various features are known in network intrusion detection based on packet headers, content byte streams or application level protocol parsing. A method for automatic feature selection in anomaly detection is proposed which determines optimal mixture coefficients for various sets of features. The method generalizes the support vector data description (SVDD) and can be expressed as a semi-infinite linear program that can be solved with standard techniques. The case of a single feature set can be handled as a particular case of the proposed method. The experimental evaluation of the new method on unsanitized HTTP data demonstrates that detectors using automatically selected features attain competitive performance, while sparing practitioners from a priori decisions on feature sets to be used.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Francis R. Bach , Gert R. G. Lanckriet , Michael I. Jordan, Multiple kernel learning, conic duality, and the SMO algorithm, Proceedings of the twenty-first international conference on Machine learning, p.6, July 04-08, 2004, Banff, Alberta, Canada [doi>10.1145/1015330.1015424]
	2	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
	3	Amir Globerson , Naftali Tishby, Sufficient dimensionality reduction, The Journal of Machine Learning Research, 3, 3/1/2003
	4	Isabelle Guyon , André Elisseeff, An introduction to variable and feature selection, The Journal of Machine Learning Research, 3, 3/1/2003
	5	Wenke Lee , Salvatore J. Stolfo, A framework for constructing features and models for intrusion detection systems, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.227-261, Nov. 2000 [doi>10.1145/382912.382914]
	6	Matthew V. Mahoney , Philip K. Chan, Learning nonstationary models of normal network traffic for detecting novel attacks, Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, July 23-26, 2002, Edmonton, Alberta, Canada [doi>10.1145/775047.775102]
	7	Matthew V. Mahoney , Philip K. Chan, Learning Rules for Anomaly Detection of Hostile Network Traffic, Proceedings of the Third IEEE International Conference on Data Mining, p.601, November 19-22, 2003
	8	H.-N. Nguyen and S.-Y. Ohn. Drfe: Dynamic recursive feature elimination for gene identification based on random forest. In Proceedings of the International Conference on Neural Information Processing, 2006.
	9	Ruoming Pang , Vern Paxson , Robin Sommer , Larry Peterson, binpac: a yacc for writing application protocol parsers, Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil [doi>10.1145/1177080.1177119]
	10	K. Rieck and P. Laskov. Detecting unknown network attacks using language models. In Detection of Intrusions and Malware, and Vulnerability Assessment, Proc. of 3rd DIMVA Conference, LNCS, pages 74--90, July 2006.
	11	K. Rieck and P. Laskov. Language models for detection of unknown attacks in network traffic. In Journal in Computer Virology, 2(4):243--256, 2007.
	12	Sören Sonnenburg , Gunnar Rätsch , Christin Schäfer , Bernhard Schölkopf, Large Scale Multiple Kernel Learning, The Journal of Machine Learning Research, 7, p.1531-1565, 12/1/2006
	13	David M. J. Tax , Robert P. W. Duin, Support Vector Data Description, Machine Learning, v.54 n.1, p.45-66, January 2004 [doi>10.1023/B:MACH.0000008084.60811.49]
	14	K. Wang, J. Parekh, and S. Stolfo. Anagram: A content anomaly detector resistant to mimicry attack. In Recent Adances in Intrusion Detection (RAID), pages 226--248, 2006.
	15	K. Wang and S. Stolfo. Anomalous payload-based network intrusion detection. In Recent Adances in Intrusion Detection (RAID), pages 203--222, 2004.
	16	Hua-Liang Wei , Stephen A. Billings, Feature Subset Selection and Ranking for Data Dimensionality Reduction, IEEE Transactions on Pattern Analysis and Machine Intelligence, v.29 n.1, p.162-166, January 2007 [doi>10.1109/TPAMI.2007.11]
	17	Alexander Zien , Cheng Soon Ong, Multiclass multiple kernel learning, Proceedings of the 24th international conference on Machine learning, p.1191-1198, June 20-24, 2007, Corvalis, Oregon [doi>10.1145/1273496.1273646]