Data Reduction Techniques for Instance-Based Learning from Human/Computer Interface Data

We describe the task of user-oriented anomaly detection for computer security. In this domain the goal is to develop a model of a computer user's normal behavioral patterns and to detect anomalous conditions as deviations from expected behaviors. We present an instance-based learning (IBL) system for profiling users and examine some domain constraints with respect to our approach. In particular, we explore the data reduction problem; this domain is subject to unbounded data and concept drift but is constrained by limited resources so we must limit the size of the learned model. We empirically examine the data reduction performance of two clustering methods -- an EM procedure, K-centers, and a greedy clustering method developed to address domain characteristics. We evaluate the relative strengths of the two methods along three performance axes: accuracy, mean time to generation of an alarm (TTA), and data compression. 1. Introduction Automated modeling of human beha..