This paper describes experiences and results applying Support Vector Machine (SVM) to a Computer Intrusion Detection (CID) dataset. This is the second stage of work with this dataset, emphasizing incorporation of anomaly detection in the modeling and prediction of cyber--attacks. The SVM method for classification is used as a benchmark method (from previous study \cite{CID1}), and the anomaly detection approaches compare so--called ``one class'' SVMs with a thresholded Mahalanobis distance to define support regions. Results compare the performance of the methods, and investigate joint performance of classification and anomaly detection. The dataset used is the DARPA/KDD-99 publicly available dataset of features from network packets classified into non--attack and four attack categories.
M. Fugate and J.R. Gattiker, Anomaly Detection Enhanced Classification in Computer Intrusion Detection. Lecture Notes in Computer Science, Volume 2388, pp 186, 2002. LANL Tech Report LA-UR-02-1149. [ Abstract | PDF (400 KB) ]
