Dynamic model selection with its applications to computer security

In recent years there has been increased interest in detecting anomalies in network traffic data/audit logs for computer security. With the appearance of a masquerader, for example, any new anomalous behavior pattern may be observed in command line data, and it is an important issue to detect the emergence of such a pattern as early as possible. This paper addresses this issue of anomaly detection by dynamically selecting statistical models from data. Our goal is here not to select a single model over the data as in conventional statistical model selection, but to select a time series of optimal models efficiently, assuming that the true model may change over time. We call this approach dynamic model selection. We first propose a coding-theoretic criterion for dynamic model selection. Next, we propose two dynamic model selection algorithms attaining the minimum of the criteria and analyze their performance. Finally we demonstrate the validity of our algorithms through real application to masquerade detection using UNIX command sequences.