A method for partial-memory incremental learning and its application to computer intrusion detection

Marcus A. Maloof and Ryszard S. Michalski

This paper describes a partial-memory incremental learning method based on the AQ15c inductive learning system. The method maintains a representative set of past training examples that are used together with new examples to appropriately modify the currently held hypotheses. Incremental learning is evoked by feedback from the environment or from the user. Such a method is useful in applications involving intelligent agents acting in a changing environment, active vision, and dynamic knowledge-bases. For this study, the method is applied to the problem of computer intrusion detection in which symbolic profiles are learned for a computer system's users. In the experiments, the proposed method yielded signi ficant gains in terms of learning time and memory requirements at the expenseof slightly lower predictive accuracy and higher concept complexity, when compared to batch learning, in which all examples are given at once.

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Paper available in PostScript (gzipped) and PDF.

Slides from the talk available in PostScript (gzipped) and PDF.

@inproceedings{maloof.tai.95,
  author = "Maloof, M.A. and Michalski, R.S.",
  title = "A method for partial-memory incremental learning and its
    application to computer intrusion detection",
  booktitle = "{Proceedings of the Seventh IEEE International Conference on
    Tools with Artificial Intelligence}",
  year = 1995,
  pages = "392--397",
  publisher = "IEEE Press",
  address = "Los Alamitos, CA"
}