Dependency-based distributed intrusion detection

Authors:
Ji Li;Dah-Yoh Lim;Karen Sollins
Affiliations:
MIT Computer Science and Artificial Intelligence Laboratory, Cambridge, MA;MIT Computer Science and Artificial Intelligence Laboratory, Cambridge, MA;MIT Computer Science and Artificial Intelligence Laboratory, Cambridge, MA
Venue:
DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
Year:
2007

Citing 11
Cited 2

A tutorial on hidden Markov models and selected applications in speech recognition

Readings in speech recognition
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Designing for scale and differentiation

FDNA '03 Proceedings of the ACM SIGCOMM workshop on Future directions in network architecture
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Implementing aggregation and broadcast over Distributed Hash Tables

ACM SIGCOMM Computer Communication Review
Host-based detection of worms through peer-to-peer cooperation

Proceedings of the 2005 ACM workshop on Rapid malcode
Towards Automatic Generation of Vulnerability-Based Signatures

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
A distributed host-based worm detection system

Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
An adaptive anomaly detector for worm detection

SYSML'07 Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques
When gossip is good: distributed probabilistic inference for detection of slow network intrusions

AAAI'06 proceedings of the 21st national conference on Artificial intelligence - Volume 2

Collaborative defence as a pervasive service: architectural insights and validation methodologies of a trial deployment

International Journal of Sensor Networks
A model for detecting "global footprint anomalies" in a grid environment

PAISI'10 Proceedings of the 2010 Pacific Asia conference on Intelligence and Security Informatics

Quantified Score

Hi-index	0.00

Visualization

Abstract

Distributed network intrusion detection has attracted much attention recently. Our main focus in this work is on zero-day, slow-scanning worms, of which no existing signatures are available. We organize end hosts into regions based on network knowledge, which we posit is positively correlated to the dependency structure. Leveraging on this organization, we apply different intrusion detection techniques within and across regions. We use a hidden Markov model (HMM) within a region to capture the dependency among hosts, and use sequential hypothesis testing (SHT) globally to take advantage of the independence between regions. We conduct experiments on DETER, and preliminary results show improvement on detection effectiveness and reduction of communication overhead.