Windows NT one-class masquerade detection

Previous research has mainly studied UNIX system command line users, while here we investigate Windows system users, utilizing real network data. This work primarily focuses on one-class support vector machine (SVM) masquerade detection. One-class training requires only the user´s own legitimate sessions to build up the user´s profile. The one-class approach offers significant ease of management of the roster of users, in that the addition of new users or deletion of legacy ones requires much smaller effort compared to the multiclass case. Two-class SVM study has also been carried out for the purpose of comparison. ROC scores have been computed to use to compare the performance in detecting different masqueraders. The two-class training achieves a 63% hit rate with a low false alarm rate (about 3.7%), comparable to the best UNIX system results. The results of one-class training show a detection rate of about 66.7% with a corresponding false alarm rate of about 22%. Even though the one-class training approach results in some sacrifice of performance for false alarms, the gains in ease of roster management and reduction in training needed may be more desirable in some practical environments.