Entry Lane:1999:TSL from tissec.bib

Last update: Sun Oct 15 02:58:48 MDT 2017

Index sections

Top | Symbols | Numbers | Math | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

BibTeX entry

@Article{Lane:1999:TSL,
  author =       "Terran Lane and Carla E. Brodley",
  title =        "Temporal sequence learning and data reduction for
                 anomaly detection",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "3",
  pages =        "295--331",
  month =        aug,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/contents/v2no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p295-lane/",
  abstract =     "The anomaly-detection problem can be formulated as one
                 of learning to characterize the behaviors of an
                 individual, system, or network in terms of temporal
                 sequences of discrete data. We present an approach on
                 the basis of instance-based learning (IBL) techniques.
                 To cast the anomaly-detection task in an IBL framework,
                 we employ an approach that transforms temporal
                 sequences of discrete, unordered observations into a
                 metric space via a similarity measure that encodes
                 intra-attribute dependencies. Classification boundaries
                 are selected from an {\em a posteriori\/}
                 characterization of valid user behaviors, coupled with
                 a domain heuristic. An empirical evaluation of the
                 approach on user command data demonstrates that we can
                 accurately differentiate the profiled user from
                 alternative users when the available features encode
                 sufficient information. Furthermore, we demonstrate
                 that the system detects anomalous conditions {\em
                 quickly\/} --- an important quality for reducing
                 potential damage by a malicious user. We present
                 several techniques for reducing data storage
                 requirements of the user profile, including
                 instance-selection methods and clustering. As empirical
                 evaluation shows that a new greedy clustering algorithm
                 reduces the size of the user model by 70\%, with only a
                 small loss in accuracy.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "anomaly detection; clustering; data reduction;
                 empirical evaluation; instance based learning; machine
                 learning; user profiling",
  subject =      "Software --- Operating Systems --- Security and
                 Protection (D.4.6)",
}

Related entries

accuracy, 11(2)2, 12(1)4, 12(2)13, 12(3)17, 13(4)35, 13(4)38, 15(2)7, 15(3)12, 15(4)17, 17(3)12, 18(4)12
accurately, 10(4)1, 11(3)12, 12(2)13, 12(3)17, 18(2)7, 18(4)12
algorithm, 1(1)26, 2(1)3, 2(1)65, 2(1)105, 9(2)162, 9(4)391, 9(4)421, 10(1)4, 10(4)3, 11(1)4, 11(3)12, 12(2)8, 12(3)17, 12(4)20, 13(1)10, 13(3)20, 13(3)22, 13(3)24, 13(3)26, 13(3)27, 13(3)28, 13(4)36, 13(4)41, 14(1)3, 14(1)13, 14(3)25, 15(3)11, 15(4)15, 15(4)17, 16(1)4, 17(3)11, 17(4)13, 18(1)1, 18(1)4, 18(4)14
alternative, 2(1)3, 2(1)34, 10(4)3, 12(3)16, 15(2)10, 15(4)15, 17(2)8, 17(4)14, 18(4)13
anomalous, 9(1)61
anomaly, 5(3)203, 12(2)12, 15(4)17
approach, 1(1)3, 1(1)26, 2(1)34, 2(2)138, 2(3)269, 5(2)119, 5(3)203, 6(1)128, 7(3)392, 9(4)391, 9(4)421, 10(1)2, 10(1)4, 10(3)11, 10(3)12, 10(4)4, 11(1)3, 11(3)15, 11(3)16, 11(4)17, 11(4)19, 12(1)1, 12(1)4, 12(2)11, 12(3)14, 13(3)20, 13(3)24, 13(4)31, 13(4)35, 13(4)36, 14(1)8, 14(3)23, 14(4)29, 15(1)4, 15(3)12, 15(3)13, 15(4)15, 15(4)17, 15(4)18, 16(2)5, 16(2)7, 16(2)8, 16(4)15, 16(4)16, 17(3)12, 17(4)14, 18(2)5, 18(2)7, 18(3)11
available, 1(1)3, 12(1)1, 13(3)22, 13(3)25, 16(3)11, 17(1)1, 17(3)9, 17(3)11, 18(1)2, 18(4)12
based, 1(1)3, 2(1)34, 2(2)177, 2(3)230, 2(3)332, 3(3)161, 7(2)319, 9(2)162, 9(2)181, 9(4)421, 10(1)2, 10(1)4, 10(2)6, 11(1)3, 11(2)1, 11(2)4, 11(3)12, 11(3)15, 11(4)17, 11(4)18, 12(1)1, 12(1)4, 12(2)13, 12(3)16, 12(3)17, 12(3)18, 13(3)24, 13(3)27, 13(3)28, 13(4)29, 13(4)30, 13(4)31, 13(4)41, 14(1)3, 14(1)4, 14(1)8, 14(1)9, 14(1)10, 14(4)30, 15(2)6, 15(2)7, 15(3)13, 16(2)8, 16(4)16, 17(1)3, 17(2)7, 17(3)12, 17(4)13, 17(4)14, 17(4)15, 17(4)16, 18(1)1, 18(1)4, 18(3)10, 18(3)11, 18(4)14
basis, 2(1)34, 10(4)2, 11(4)20, 11(4)22, 12(1)2, 13(3)27, 14(1)8, 16(4)14
behavior, 2(4)354, 10(4)6, 11(4)19, 12(1)5, 12(3)14, 12(3)19, 14(1)10, 14(4)32, 15(1)2, 15(2)10, 15(3)14, 16(3)12, 17(2)8, 18(2)5, 18(2)7, 18(3)9
boundary, 10(1)2, 11(1)2
Brodley, Carla E., 12(4)22
characterization, 11(4)17
characterize, 1(1)26, 12(1)2, 12(1)5, 14(3)23, 18(2)5
classification, 15(3)12, 16(1)3, 18(3)11
clustering, 6(4)443
condition, 1(1)26, 10(4)1, 11(1)3, 11(2)2, 11(4)21, 12(2)11, 13(3)26, 16(1)3, 17(1)2, 18(1)2, 18(2)5, 18(2)6
coupled, 15(3)13
D.4.6, 1(1)3, 2(1)3, 2(1)34, 2(1)105, 2(2)138, 2(2)177, 2(4)354
damage, 10(4)6, 11(4)20, 12(2)12
demonstrate, 10(1)4, 10(4)1, 10(4)4, 10(4)6, 11(1)3, 11(3)16, 11(4)22, 12(1)4, 12(3)19, 13(1)10, 13(4)30, 13(4)31, 13(4)38, 14(3)27, 15(1)2, 15(1)4, 15(2)7, 15(3)12, 15(3)13, 15(4)16, 16(3)9, 16(3)10, 17(2)8, 17(3)10, 17(3)12, 17(4)16, 18(2)8, 18(4)12, 18(4)14
dependencies, 10(1)3
detect, 10(4)6, 11(3)14, 11(3)15, 12(2)10, 12(2)11, 12(2)13, 12(3)19, 14(1)13, 15(2)6, 16(2)5, 16(4)14, 17(4)16, 18(2)7, 18(3)9
detection, 2(2)159, 3(1)1, 3(3)186, 3(4)227, 3(4)262, 4(4)407, 5(3)203, 6(2)173, 6(4)443, 7(4)591, 9(1)61, 10(1)4, 11(2)2, 11(3)12, 11(3)15, 11(4)19, 11(4)20, 12(2)11, 12(2)12, 12(2)13, 12(4)22, 13(2)12, 13(4)30, 14(1)13, 14(3)27, 15(2)6, 15(3)11, 15(4)17, 17(4)13, 17(4)15, 18(1)2, 18(2)7, 18(3)9
discrete, 15(1)4
domain, 14(1)9, 14(4)31, 16(4)14, 16(4)15, 16(4)17, 17(2)5, 17(2)7, 18(2)6, 18(2)8
empirical, 16(4)13, 17(4)14, 18(1)1
employ, 2(4)390, 10(4)5, 11(2)1, 11(4)19, 12(3)16, 14(4)32, 16(4)16
encode, 12(4)22, 15(1)4
evaluation, 3(4)262, 10(1)3, 11(1)3, 11(4)20, 11(4)22, 12(2)8, 12(2)11, 12(4)20, 13(2)14, 13(3)24, 13(3)25, 16(1)1, 16(1)2, 16(3)9, 16(4)13, 16(4)17, 17(4)14, 18(1)1
feature, 2(1)34, 2(2)177, 3(4)227, 10(1)2, 10(3)12, 11(4)22, 13(3)24, 13(4)32, 13(4)35, 13(4)41, 16(2)5, 16(2)7, 16(4)13, 16(4)14, 17(3)10, 17(4)16, 18(2)5, 18(3)11
framework, 3(4)227, 6(1)71, 6(3)404, 7(2)175, 8(2)187, 9(2)181, 9(4)391, 10(1)2, 10(3)10, 11(1)3, 11(3)12, 11(4)19, 11(4)20, 12(1)2, 12(1)4, 12(1)5, 12(3)19, 12(4)21, 13(3)24, 13(3)28, 14(1)9, 14(1)11, 14(2)21, 14(4)31, 15(2)10, 15(3)12, 15(3)14, 15(4)17, 16(1)2, 16(3)9, 16(4)15, 16(4)17, 17(1)3, 17(2)5, 17(2)7, 17(3)11, 17(3)12, 17(4)13, 17(4)14, 17(4)15, 18(1)4, 18(3)10, 18(4)12
furthermore, 2(4)390, 10(4)2, 12(1)6, 12(4)20, 13(1)10, 13(3)26, 13(3)28, 13(4)32, 13(4)40, 14(1)4, 15(2)6, 16(1)3, 17(2)7, 17(4)16
greedy, 11(4)19, 15(4)15, 17(4)13
heuristic, 13(3)22, 13(3)27, 16(4)16
important, 1(1)3, 1(1)66, 10(2)8, 11(3)14, 11(4)18, 11(4)20, 12(1)4, 13(3)26, 13(3)27, 13(4)36, 14(4)28, 15(3)12, 15(4)18, 16(1)4, 17(3)11
including, 2(2)177, 10(2)6, 10(3)11, 10(4)1, 11(2)2, 11(3)14, 11(4)20, 11(4)22, 12(2)12, 12(3)14, 12(3)19, 13(4)32, 14(1)13, 15(2)6, 15(3)12, 16(2)5, 16(2)7, 16(4)17, 18(1)1, 18(1)4
individual, 10(1)4, 10(4)6, 11(1)3, 11(4)18, 14(3)26, 17(1)1, 17(2)8, 18(2)6
instance, 2(1)65, 2(2)177, 10(1)4, 10(4)3, 12(4)20, 13(4)35, 14(1)9, 17(3)9
learning, 12(3)16, 13(1)10, 14(1)10, 14(2)21, 14(4)29
loss, 14(1)5, 15(4)16
machine, 2(2)159, 2(2)177, 2(3)230, 12(2)12, 14(1)6, 14(1)10, 14(2)18, 14(2)21, 15(2)9, 15(3)12, 16(2)7, 16(3)9, 16(4)13, 16(4)14, 17(2)8, 18(2)6, 18(3)11
malicious, 2(2)177, 10(3)11, 10(4)6, 11(2)2, 11(3)13, 11(3)14, 11(3)15, 11(4)22, 11(4)23, 12(2)12, 12(3)14, 14(1)13, 15(1)2, 15(4)17, 16(2)6, 16(3)12, 16(4)13, 16(4)14, 17(3)10, 17(3)12, 17(4)13, 18(2)5
measure, 2(3)269, 9(2)162, 10(4)5, 11(4)17, 12(3)17, 12(4)22, 13(3)22, 13(4)36, 15(1)2, 16(2)6, 17(1)1, 18(1)1, 18(2)5
method, 1(1)3, 1(1)26, 2(2)159, 2(3)332, 2(4)416, 9(3)259, 10(1)3, 10(3)10, 10(4)4, 10(4)5, 11(2)2, 11(3)16, 11(4)19, 11(4)22, 12(1)2, 12(1)6, 12(2)13, 12(3)16, 13(2)15, 13(4)35, 15(1)4, 15(2)10, 15(3)12, 15(4)15, 15(4)17, 17(3)12, 18(3)9
metric, 2(2)138, 10(4)6, 11(2)2, 15(2)10, 18(3)11
new, 1(1)3, 1(1)93, 2(1)105, 2(2)138, 9(2)181, 9(4)461, 10(1)3, 10(2)6, 10(4)6, 11(4)17, 12(1)2, 12(1)3, 12(2)11, 12(3)14, 12(3)15, 12(3)16, 12(4)21, 12(4)22, 13(2)15, 13(4)29, 13(4)34, 14(1)4, 14(1)5, 14(1)6, 14(1)13, 14(3)23, 14(3)27, 14(4)30, 15(1)3, 15(2)7, 15(2)9, 15(2)10, 15(3)12, 15(4)15, 16(2)5, 16(2)7, 16(3)12, 16(4)16, 16(4)17, 17(1)4, 17(2)7, 17(3)10, 17(4)15, 18(1)1, 18(1)2, 18(3)10, 18(3)11
observation, 2(1)34, 11(2)4, 12(1)4, 13(1)10, 18(1)4
one, 1(1)26, 1(1)93, 2(1)3, 2(1)65, 9(4)461, 10(1)2, 10(2)5, 10(2)8, 10(3)12, 10(4)3, 11(2)6, 11(3)14, 12(1)1, 12(1)5, 12(2)13, 12(3)14, 13(3)21, 13(3)25, 13(3)26, 13(3)27, 13(4)41, 14(1)3, 14(1)5, 14(4)30, 14(4)32, 15(2)10, 15(3)11, 15(4)16, 15(4)18, 16(1)3, 16(1)4, 16(3)9, 16(4)14, 17(2)8, 17(4)13, 18(1)1, 18(3)11, 18(4)13
only, 2(3)230, 10(4)3, 11(1)3, 11(2)4, 11(3)13, 11(4)20, 12(1)2, 12(1)3, 12(2)13, 12(3)19, 12(4)21, 13(1)10, 13(3)25, 13(3)28, 13(4)35, 13(4)37, 13(4)39, 14(1)5, 14(1)11, 14(3)26, 14(4)31, 15(2)9, 15(4)16, 15(4)18, 16(1)3, 16(2)6, 16(2)7, 16(3)9, 16(3)10, 16(4)13, 17(3)9, 17(4)15, 18(2)5, 18(2)8
operating, 2(2)138, 2(2)177, 2(4)354, 4(1)72, 5(1)36, 11(4)20, 12(3)14, 13(1)10, 13(4)30, 14(1)6, 14(1)8, 14(3)24, 15(4)16, 17(4)14, 18(2)5, 18(3)11
potential, 11(3)16, 18(4)12
present, 1(1)26, 2(1)3, 2(1)65, 2(2)177, 2(3)230, 2(3)269, 2(4)354, 7(2)319, 9(2)181, 9(4)461, 10(1)2, 10(2)7, 10(3)10, 10(3)11, 10(3)12, 10(4)2, 10(4)3, 11(1)2, 11(1)4, 11(2)2, 11(2)5, 11(3)14, 11(4)22, 12(1)2, 12(1)4, 12(2)10, 12(2)11, 12(3)14, 12(3)15, 12(3)16, 12(3)17, 12(4)22, 13(1)10, 13(3)20, 13(3)22, 13(3)25, 13(3)28, 13(4)29, 13(4)41, 14(1)4, 14(1)5, 14(1)6, 15(1)2, 15(2)6, 15(2)8, 15(2)10, 15(3)12, 15(3)13, 15(4)16, 15(4)18, 16(2)6, 16(2)7, 16(4)13, 16(4)14, 17(1)4, 17(2)6, 17(2)7, 17(2)8, 17(3)9, 17(3)12, 17(4)14, 17(4)15, 17(4)16, 18(1)3, 18(1)4, 18(2)7, 18(3)9, 18(3)10, 18(3)11, 18(4)12, 18(4)14
problem, 1(1)3, 2(3)269, 5(3)238, 9(2)162, 9(4)391, 10(2)5, 10(2)8, 10(3)9, 10(3)10, 10(3)12, 10(4)1, 10(4)3, 11(2)2, 11(3)12, 11(3)15, 11(4)19, 12(1)2, 12(1)6, 12(2)9, 12(3)18, 12(4)20, 13(3)22, 13(3)26, 13(3)27, 13(4)33, 13(4)36, 13(4)40, 14(3)25, 14(4)31, 15(4)15, 15(4)18, 16(1)3, 16(1)4, 16(3)11, 16(4)15, 17(2)8, 17(3)11, 17(4)15, 18(1)3
profile, 2(4)354, 4(1)72, 16(2)8
profiled, 9(2)162
protection, 1(1)3, 1(1)26, 1(1)66, 1(1)93, 2(1)3, 2(1)34, 2(1)105, 2(2)138, 2(2)177, 2(3)230, 2(4)354, 2(4)390, 10(1)3, 10(3)9, 11(4)20, 12(2)9, 12(2)11, 13(3)22, 14(3)24, 15(1)2, 15(2)8, 16(2)6
quality, 2(3)269, 11(4)17, 12(2)11, 15(2)7, 18(1)1
quickly, 10(4)4, 11(2)3, 13(3)22, 15(3)13
reduce, 7(2)319, 9(4)391, 11(3)14, 11(4)17, 12(2)13, 12(3)17, 13(3)27, 13(4)40, 14(1)12, 15(3)12, 16(1)4, 16(3)10, 16(4)17, 18(4)12, 18(4)13
reducing, 11(4)18, 14(1)3, 15(2)6, 15(4)17, 18(2)5
reduction, 9(4)391, 9(4)461, 12(3)18, 13(4)29, 16(1)4, 17(1)1
requirements, 2(2)177, 10(2)7, 11(1)4, 12(1)1, 12(1)5, 12(2)8, 13(3)20, 13(3)22, 15(2)6, 15(3)13, 16(1)4, 17(3)10, 18(1)3, 18(4)13
selected, 17(1)1, 17(1)2, 18(1)1
sequence, 10(2)8, 13(3)20, 13(4)35, 14(4)32, 15(1)2, 15(2)10, 16(2)8
several, 1(1)93, 2(1)65, 2(2)138, 2(3)230, 10(1)2, 10(1)4, 10(2)6, 10(2)7, 10(3)12, 10(4)6, 11(1)4, 11(2)4, 11(4)17, 12(2)8, 12(4)20, 13(3)27, 13(4)30, 13(4)39, 13(4)41, 14(3)27, 14(4)29, 14(4)31, 15(2)6, 15(2)10, 16(3)12, 17(1)4, 17(3)9, 17(3)10, 18(1)1
similarity, 10(1)3, 16(4)16, 18(4)12
size, 10(3)11, 10(4)5, 11(2)6, 11(3)13, 11(4)18, 12(3)16, 12(4)20, 14(1)3, 14(4)29, 17(4)15, 18(1)4, 18(4)12
small, 10(3)11, 10(4)3, 10(4)5, 12(1)6, 12(3)15, 12(3)16, 12(3)18, 12(4)21, 14(1)12, 15(1)3, 15(1)4, 15(4)15, 16(1)1, 17(4)15, 18(2)5
software, 1(1)3, 2(1)3, 2(1)34, 2(1)105, 2(2)138, 2(2)177, 2(4)354, 3(1)51, 11(1)2, 12(2)11, 12(2)12, 12(3)14, 12(3)19, 14(1)8, 14(3)24, 14(4)32, 15(2)8, 17(1)1, 17(3)11
space, 6(1)43, 6(3)327, 10(4)5, 12(2)8, 12(3)18, 12(3)19, 14(1)14, 15(1)2, 18(4)13
storage, 2(4)354, 9(1)1, 10(4)3, 11(1)4, 12(1)3, 12(3)15, 12(3)16, 12(3)18, 13(3)22, 13(4)30, 13(4)37, 14(1)12, 14(2)20, 15(2)6, 15(2)9, 16(3)12, 17(3)10, 17(4)15
sufficient, 16(1)3, 18(2)8
task, 2(1)65, 9(4)391, 10(2)5, 11(4)23, 12(3)14, 12(4)20, 13(3)20, 13(3)27, 15(2)9, 15(3)13, 16(3)11, 17(1)4
technique, 1(1)3, 2(2)138, 2(3)230, 2(4)416, 7(2)274, 9(4)391, 9(4)461, 10(2)6, 10(3)9, 10(4)6, 11(2)2, 11(3)12, 11(3)16, 11(4)17, 11(4)18, 11(4)22, 12(1)4, 12(2)11, 12(2)13, 12(3)16, 12(3)18, 13(3)22, 13(3)25, 13(3)28, 13(4)32, 13(4)33, 13(4)35, 13(4)36, 13(4)39, 14(1)3, 14(1)5, 14(1)6, 14(1)13, 14(3)24, 14(4)32, 15(1)2, 15(1)5, 15(2)7, 15(2)8, 15(3)12, 15(4)17, 15(4)18, 16(1)2, 16(2)6, 16(2)7, 16(3)11, 16(4)13, 16(4)14, 17(3)9, 17(3)12, 17(4)16, 18(1)2, 18(2)6, 18(3)11
temporal, 4(3)191, 5(1)62, 10(1)3, 10(4)2, 14(1)14, 18(2)7
term, 10(3)9, 11(3)15, 11(4)19, 13(3)22, 15(2)6, 15(2)8, 15(3)13
transform, 15(2)10, 15(4)17
valid, 14(4)32, 15(2)10
via, 2(4)390, 9(4)461, 11(3)13, 12(3)14, 12(3)18, 14(1)9, 16(2)7, 16(4)17, 17(2)5
when, 10(2)7, 10(3)12, 10(4)4, 10(4)6, 11(2)3, 11(2)6, 11(3)15, 11(3)16, 11(4)17, 11(4)18, 12(2)10, 12(2)11, 12(4)20, 12(4)22, 13(1)10, 13(3)27, 13(4)32, 13(4)34, 13(4)35, 13(4)37, 15(2)6, 15(2)9, 15(2)10, 15(3)14, 16(1)3, 16(2)8, 17(3)9, 17(4)13, 18(3)9, 18(4)12