A model for reasoning about persistence and causation
Computational Intelligence
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Anomaly Detection over Noisy Data using Learned Probability Distributions
ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
Bayesian biosurveillance of disease outbreaks
UAI '04 Proceedings of the 20th conference on Uncertainty in artificial intelligence
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
A distributed host-based worm detection system
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Dependency-based distributed intrusion detection
DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
An adaptive anomaly detector for worm detection
SYSML'07 Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
COD: online temporal clustering for outbreak detection
AAAI'07 Proceedings of the 22nd national conference on Artificial intelligence - Volume 1
Detection of slow malicious worms using multi-sensor data fusion
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
International Journal of Sensor Networks
Crowdsourcing service-level network event monitoring
Proceedings of the ACM SIGCOMM 2010 conference
SMURFEN: a system framework for rule sharing collaborative intrusion detection
Proceedings of the 7th International Conference on Network and Services Management
A model for detecting "global footprint anomalies" in a grid environment
PAISI'10 Proceedings of the 2010 Pacific Asia conference on Intelligence and Security Informatics
A scalable network forensics mechanism for stealthy self-propagating attacks
Computer Communications
A Cooperative Intrusion Detection Model Based on Granular Computing and Agent Technologies
International Journal of Agent Technologies and Systems
Hi-index | 0.00 |
Intrusion attempts due to self-propagating code are becoming an increasingly urgent problem, in part due to the homogeneous makeup of the internet. Recent advances in anomaly-based intrusion detection systems (IDSs) have made use of the quickly spreading nature of these attacks to identify them with high sensitivity and at low false positive (FP) rates. However, slowly propagating attacks are much more difficult to detect because they are cloaked under the veil of normal network traffic, yet can be just as dangerous due to their exponential spread pattern. We extend the idea of using collaborative IDSs to corroborate the likelihood of attack by imbuing end hosts with probabilistic graphical models and using random messaging to gossip state among peer detectors. We show that such a system is able to boost a weak anomaly detector D to detect an order-of-magnitude slower worm, at false positive rates less than a few per week, than would be possible using D alone at the end-host or on a network aggregation point. We show that this general architecture is scalable in the sense that a fixed absolute false positive rate can be achieved as the network size grows, spreads communication bandwidth uniformly throughout the network, and makes use of the increased computation power of a distributed system. We argue that using probabilistic models provides more robust detections than previous collaborative counting schemes and allows the system to account for heterogeneous detectors in a principled fashion.