Host-Based Anomaly Detection Using Learning Techniques

Anomaly detection is a crucial part of computer-security. This paper presents various host based anomaly detection techniques. One technique uses clustering with markov network (CMN). In CMN we first cluster the benign training data and then from each cluster we build a separate markov network to model the benign behavior. During testing, each Markov network calculates the probability of each testing instance. If the probability from multiple markov networks is low, we classify the point as malicious. The paper also presents CMN with Outlying subspace (CMN-OS). In CMN-OS, a training data set that consists of benign and few malicious data is used to identify the outlying subspace which is used as a lower dimensional representation of the full dimensional space. Then, CMN uses the new subspace to represent its training and testing data sets. Finally, the paper presents Clustered Label Propagation (CLP). CLP starts by clustering benign and malicious training. It then labels each cluster based on its central-most point. During testing, these points are added to the testing data as labeled points and Label Propagation is used to label the testing data. We experimentally show that CMN approach outperforms several other approaches and performs similar to CMN-OS and we show that it is less sensitive to noise as compared to other approaches.