Track:
Contents
Downloads:
Abstract:
In the computer security task of anomaly detection, we wish to measure not only the classification accuracy of a detector but also the average time to detection. This quantity represents either the average time between false alarms (for a valid user) or the average time until a hostile user is detected. We examine the use of noise suppression filters as componants of a learning classification system for this domain. We empirically evalute the behaviors of a trailing window mean value filter and a trailing window median value filter in terms of both accuracy and time to detection. We find that the median filter is generally to be preferred for this domain.