An adaptive anomaly detector for worm detection

Authors:
John Mark Agosta;Carlos Diuk-Wasser;Jaideep Chandrashekar;Carl Livadas
Affiliations:
Intel Research, Santa Clara, CA;Dept. of Computer Science, Rutgers University, New Brunswick, NJ;Intel Research, Santa Clara, CA;Intel Research, Santa Clara, CA
Venue:
SYSML'07 Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques
Year:
2007

Citing 10
Cited 13

A statistical approach to predictive detection

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on selected topics in network and systems management
Class-of-service mapping for QoS: a statistical signature-based approach to IP traffic classification

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Characterization of network-wide anomalies in traffic flows

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Using AUC and Accuracy in Evaluating Learning Algorithms

IEEE Transactions on Knowledge and Data Engineering
Internet traffic classification using bayesian analysis techniques

SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
BLINC: multilevel traffic classification in the dark

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Traffic classification on the fly

ACM SIGCOMM Computer Communication Review
Traffic classification using clustering algorithms

Proceedings of the 2006 SIGCOMM workshop on Mining network data
Probabilistic anomaly detection in distributed computer networks

Science of Computer Programming
When gossip is good: distributed probabilistic inference for detection of slow network intrusions

AAAI'06 proceedings of the 21st national conference on Artificial intelligence - Volume 2

Dependency-based distributed intrusion detection

DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
Continuous Time Bayesian Networks for Host Level Network Intrusion Detection

ECML PKDD '08 Proceedings of the European conference on Machine Learning and Knowledge Discovery in Databases - Part II
A data mining approach for analysis of worm activity through automatic signature generation

Proceedings of the 1st ACM workshop on Workshop on AISec
An integrated approach to detection of fast and slow scanning worms

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
COD: online temporal clustering for outbreak detection

AAAI'07 Proceedings of the 22nd national conference on Artificial intelligence - Volume 1
On achieving good operating points on an ROC plane using stochastic anomaly score prediction

Proceedings of the 16th ACM conference on Computer and communications security
Abnormal human behavioral pattern detection in assisted living environments

Proceedings of the 3rd International Conference on PErvasive Technologies Related to Assistive Environments
Collaborative defence as a pervasive service: architectural insights and validation methodologies of a trial deployment

International Journal of Sensor Networks
An internet protocol address clustering algorithm

SysML'08 Proceedings of the Third conference on Tackling computer systems problems with machine learning techniques
Intrusion detection using continuous time Bayesian networks

Journal of Artificial Intelligence Research
Two effective methods to detect anomalies in embedded systems

Microelectronics Journal
Automated Anomaly Detector Adaptation using Adaptive Threshold Tuning

ACM Transactions on Information and System Security (TISSEC)
Performance evaluation of a distributed and probabilistic network monitoring approach

Proceedings of the 8th International Conference on Network and Service Management

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present an adaptive end-host anomaly detector where a supervised classifier trained as a traffic predictor is used to control a time-varying detection threshold. Using real enterprise traffic traces for both training and testing, we show that our detector outperforms a fixed-threshold detector. This comparison is robust to the choice of off-the-shelf classifier and to a variety of performance criteria, i.e., the predictor's error rate, the reduction in the "threshold gap," and the ability to detect incremental worm traffic that is added to real life traces. Our adaptive-threshold detector is intended as a part of a distributed worm detection system. This distributed system infers system-wide threats from end-host detections, thereby avoiding the sensing and resource limitations of conventional centralized systems. The system places a constraint on this end-host detector to appear consistent over time and host variability