Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
BlueBoX: A policy-driven, host-based intrusion detection system
ACM Transactions on Information and System Security (TISSEC)
Building Diverse Computer Systems
HOTOS '97 Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI)
Use of diversity as a defense mechanism
NSPW '05 Proceedings of the 2005 workshop on New security paradigms
An algorithm for anomaly-based botnet detection
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Phalanx: withstanding multimillion-node botnets
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
To filter or to authorize: network-layer DoS defense against multimillion-node botnets
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Execution Trace-Driven Automated Attack Signature Generation
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
The Monoculture Risk Put into Context
IEEE Security and Privacy
TVA: a DoS-limiting network architecture
IEEE/ACM Transactions on Networking (TON)
Challenges in security and traffic management in enterprise networks
Challenges in security and traffic management in enterprise networks
Scalable network-layer defense against internet bandwidth-flooding attacks
IEEE/ACM Transactions on Networking (TON)
PAM'07 Proceedings of the 8th international conference on Passive and active network measurement
Hi-index | 0.00 |
In this paper, we study the impact of today's IT policies, defined based upon a monoculture approach, on the performance of endhost anomaly detectors. This approach leads to the uniform configuration of Host intrusion detection systems (HIDS) across all hosts in an enterprise networks. We assess the performance impact this policy has from the individual's point of view by analyzing network traces collected from 350 enterprise users. We uncover a great deal of diversity in the user population in terms of the "tail" behavior, i.e., the component which matters for anomaly detection systems. We demonstrate that the monoculture approach to HIDS configuration results in users that experience wildly different false positive and false negatives rates. We then introduce new policies, based upon leveraging this diversity and show that not only do they dramatically improve performance for the vast majority of users, but they also reduce the number of false positives arriving in centralized IT operation centers, and can reduce attack strength.