Original Contribution: Stacked generalization
Neural Networks
Experiments on multistrategy learning by meta-learning
CIKM '93 Proceedings of the second international conference on Information and knowledge management
Machine Learning
MetaCost: a general method for making classifiers cost-sensitive
KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
Service specific anomaly detection for network intrusion detection
Proceedings of the 2002 ACM symposium on Applied computing
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Detecting Concept Drift with Support Vector Machines
ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
A decision-theoretic generalization of on-line learning and an application to boosting
EuroCOLT '95 Proceedings of the Second European Conference on Computational Learning Theory
Ensemble Methods in Machine Learning
MCS '00 Proceedings of the First International Workshop on Multiple Classifier Systems
Building Diverse Computer Systems
HOTOS '97 Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI)
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Anomaly detection of web-based attacks
Proceedings of the 10th ACM conference on Computer and communications security
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Evading network anomaly detection systems: formal reasoning and practical techniques
Proceedings of the 13th ACM conference on Computer and communications security
Building a reactive immune system for software services
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Automated response using system-call delays
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Detecting targeted attacks using shadow honeypots
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Sensitivity of PCA for traffic anomaly detection
Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
On the infeasibility of modeling polymorphic shellcode
Proceedings of the 14th ACM conference on Computer and communications security
Data sanitization: improving the forensic utility of anomaly detection systems
HotDep'07 Proceedings of the 3rd workshop on on Hot Topics in System Dependability
Casting out Demons: Sanitizing Training Data for Anomaly Sensors
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Cross-disciplinary perspectives on meta-learning for algorithm selection
ACM Computing Surveys (CSUR)
Anomalous payload-based worm detection and signature generation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Effective multimodel anomaly detection using cooperative negotiation
GameSec'10 Proceedings of the First international conference on Decision and game theory for security
A multilayer overlay network architecture for enhancing IP services availability against dos
ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Cross-Domain collaborative anomaly detection: so far yet so close
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Securing application-level topology estimation networks: facing the frog-boiling attack
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Automated Anomaly Detector Adaptation using Adaptive Threshold Tuning
ACM Transactions on Information and System Security (TISSEC)
Security analysis of online centroid anomaly detection
The Journal of Machine Learning Research
| Hi-index | 0.00 |
The deployment and use of Anomaly Detection (AD) sensors often requires the intervention of a human expert to manually calibrate and optimize their performance. Depending on the site and the type of traffic it receives, the operators might have to provide recent and sanitized training data sets, the characteristics of expected traffic (i.e. outlier ratio), and exceptions or even expected future modifications of system's behavior. In this paper, we study the potential performance issues that stem from fully automating the AD sensors' day-to-day maintenance and calibration. Our goal is to remove the dependence on human operator using an unlabeled, and thus potentially dirty, sample of incoming traffic. To that end, we propose to enhance the training phase of AD sensors with a self-calibration phase, leading to the automatic determination of the optimal AD parameters. We show how this novel calibration phase can be employed in conjunction with previously proposed methods for training data sanitization resulting in a fully automated AD maintenance cycle. Our approach is completely agnostic to the underlying AD sensor algorithm. Furthermore, the self-calibration can be applied in an online fashion to ensure that the resulting AD models reflect changes in the system's behavior which would otherwise render the sensor's internal state inconsistent. We verify the validity of our approach through a series of experiments where we compare the manually obtained optimal parameters with the ones computed from the self-calibration phase. Modeling traffic from two different sources, the fully automated calibration shows a 7.08% reduction in detection rate and a 0.06% increase in false positives, in the worst case, when compared to the optimal selection of parameters. Finally, our adaptive models outperform the statically generated ones retaining the gains in performance from the sanitization process over time.