Skip to Main Content
Anomaly detection provides automated detection of unauthorized intrusion into a computer system by creating a normal profile of the system's behavior, then raising an alert when the system's behavior does not fit the system's normal profile. Approaches to anomaly detection that focus on investigating user's behavior typically assume that a user's command sequences will not vary significantly over time and so tend to flag "unusual" but safe activities as anomalies. We propose the use of "time-variant normal" user profiles that assume a user will change activities over time. The approach combines string-matching algorithms from machine intelligence and sequence alignment algorithms from biomedical informatics to dynamically evaluate user behavior.