Windows NT User Profiling for Masquerader Detection

Previous research has mainly studied UNIX system command line users, while here we investigate Windows system users, utilizing real network data. This work primarily focuses on one-class neural network classifier and support vector machines masquerade detection. The one-class approach offers significant ease of management of the roster of users, in that the addition of new users or deletion of legacy ones requires much smaller effort compared to the multi-class case. Two-class study has also been carried out for the purpose of comparison. Both receiver operating characteristic (ROC) curves and area under the ROC curve (AUC) have been evaluated to compare the performance of detecting different masqueraders from different legitimate users. For neural network (NN) two-class training, the best performance is hit rate 90% achieved with false alarm rate of 10%. For support vector machines (SVM), two-class training shows that about 63% hit rate can be reached with a low false alarm rate (about 3.7%). The results of one-class SVM training show the detection rate of about 66.7% with false alarm rate of about 22%. Even though the one-class training approach results in some sacrifice of performance for false alarms, the gains in ease of roster management and reduction in training needed may be more desirable in some practical environments