Impact of IT monoculture on behavioral end host intrusion detection

Authors:
Dhiman Barman;Jaideep Chandrashekar;Nina Taft;Michalis Faloutsos;Ling Huang;Frederic Giroire
Affiliations:
Juniper, Sunnyvale, CA, USA;Intel Labs, Berkeley, CA, USA;Intel Labs, Berkeley, CA, USA;University of California, Riverside, CA, USA;Intel Labs, Berkeley, CA, USA;INRIA, Sophia-Antipolis, France
Venue:
Proceedings of the 1st ACM workshop on Research on enterprise networking
Year:
2009

Citing 16
Cited 0

Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Mimicry attacks on host-based intrusion detection systems

Proceedings of the 9th ACM conference on Computer and communications security
BlueBoX: A policy-driven, host-based intrusion detection system

ACM Transactions on Information and System Security (TISSEC)
Building Diverse Computer Systems

HOTOS '97 Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI)
Use of diversity as a defense mechanism

NSPW '05 Proceedings of the 2005 workshop on New security paradigms
An algorithm for anomaly-based botnet detection

SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
BotHunter: detecting malware infection through IDS-driven dialog correlation

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Phalanx: withstanding multimillion-node botnets

NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
To filter or to authorize: network-layer DoS defense against multimillion-node botnets

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Execution Trace-Driven Automated Attack Signature Generation

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
The Monoculture Risk Put into Context

IEEE Security and Privacy
TVA: a DoS-limiting network architecture

IEEE/ACM Transactions on Networking (TON)
Challenges in security and traffic management in enterprise networks

Challenges in security and traffic management in enterprise networks
Scalable network-layer defense against internet bandwidth-flooding attacks

IEEE/ACM Transactions on Networking (TON)
Profiling the end host

PAM'07 Proceedings of the 8th international conference on Passive and active network measurement

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we study the impact of today's IT policies, defined based upon a monoculture approach, on the performance of endhost anomaly detectors. This approach leads to the uniform configuration of Host intrusion detection systems (HIDS) across all hosts in an enterprise networks. We assess the performance impact this policy has from the individual's point of view by analyzing network traces collected from 350 enterprise users. We uncover a great deal of diversity in the user population in terms of the "tail" behavior, i.e., the component which matters for anomaly detection systems. We demonstrate that the monoculture approach to HIDS configuration results in users that experience wildly different false positive and false negatives rates. We then introduce new policies, based upon leveraging this diversity and show that not only do they dramatically improve performance for the vast majority of users, but they also reduce the number of false positives arriving in centralized IT operation centers, and can reduce attack strength.