IEEE Transactions on Software Engineering - Special issue on computer security and privacy
NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach
Proceedings of the 2001 workshop on New security paradigms
Simple, state-based approaches to program-based anomaly detection
ACM Transactions on Information and System Security (TISSEC)
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Anomaly Detection over Noisy Data using Learned Probability Distributions
ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
Learning Program Behavior Profiles for Intrusion Detection
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Masquerade Detection Using Truncated Command Lines
DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
"Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Designing and implementing a family of intrusion detection systems
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
FiST: a language for stackable file systems
ATEC '00 Proceedings of the annual conference on USENIX Annual Technical Conference
Detecting malicious software by monitoring anomalous windows registry accesses
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
A sense of self for Unix processes
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Filesystem activity following a SSH compromise: an empirical study of file sequences
ICISC'07 Proceedings of the 10th international conference on Information security and cryptology
SoIDPS: sensor objects-based intrusion detection and prevention system and its implementation
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
DIONE: a flexible disk monitoring and analysis framework
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
| Hi-index | 0.00 |
We present an overview of anomaly detection used in computer security, and provide a detailed example of a host-based Intrusion Detection System that monitors file systems to detect abnormal accesses. The File Wrapper Anomaly Detector (FWRAP) has two parts, a sensor that audits file systems, and an unsupervised machine learning system that computes normal models of those accesses. FWRAP employs the Probabilistic Anomaly Detection (PAD) algorithm previously reported in our work on Windows Registry Anomaly Detection. FWRAP represents a general approach to anomaly detection. The detector is first trained by operating the host computer for some amount of time and a model specific to the target machine is automatically computed by PAD. The model is then deployed to a real-time detector. In this paper we describe the feature set used to model file system accesses, and the performance results of a set of experiments using the sensor while attacking a Linux host with a variety of malware exploits. The PAD detector achieved impressive detection rates in some cases over 95% and about a 2% false positive rate when alarming on anomalous processes.