ABSTRACT
This chapter discusses testing methodology and experimental results and describes the organization, the dataset and experimental setup. In particular, ensemble-based techniques for nonsequence data were discussed. For the insider threat detection approach, authors use an ensemble-based approach that is scored in real time. The ensemble maintains K models that use the one-class support vector machine (SVM), each constructed from a single day and weighted according to the accuracy of the model's previous decisions. Therefore, it is reasonable to compare authors’ updating stream ensemble with a simple one-class SVM (OCSVM) model constructed once and tested as a stream of new data becomes available. The OCSVM outperforms the two-class SVM in the first experiment. Simply, the two-class SVM is unable to detect any of the positive cases correctly. The superiority of the OCSVM over two-class SVM for insider threat detection further justifies authors’ decision to use OCSVM for their test of stream data.
