On gray-box program tracking for anomaly detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
| Hi-index | 0.00 |
Marc Dacier's topic is: intrusion detection vs. detection of errors caused by intentionally malicious faults. Although research on intrusion detection has been carried out for more than two decades, it has recently received increased attention due to the success of the Internet. A recent survey conducted by the IBM Global Security Laboratory indicates that more than 20 intrusion-detection products are now available on the market, whereas two years ago there were only three. Despite this growth of product offerings, intrusion-detection solutions are still in their infancy. Not only is there a lack of understanding of what an intrusion really is, but also how it should be handled. Moreover, from a technical point of view, many critical issues remain unsolved.In this talk, Marc presents what has been done in the intrusion domain in the past, and highlights new research directions that need to be addressed. He will highlight the relationship between intrusion detection and fault tolerance, drawing on the body of knowledge that has been developed within the traditional dependability community, and noting the opportunities for these two communities to work together to solve this important problem.Sami Saydjari's topic is: the detection of novel, previously unseen attacks. Although intrusion detection is a field still in its infancy, two broad approaches have evolved: pattern-based detection and anomaly-based detection. Pattern-based detection, sometimes called misuse-based detection, relies on matching known patterns of attacks already suffered. Anomaly-based detection, on the other hand, relies on detecting behaviors that are abnormal with respect to some normal standard. An example is that of a masquerader trying to hide behind someone else's login; unless the masquerader is clever indeed, his activities will stand out as anomalous against a victim's profile of normal behavior. Anomaly-based detection techniques appear to hold the best hope of detecting new variants of attacks.Sami emphasizes that although there exist some low-level sensors that can detect known attacks, the research community must move quickly in learning how to detect novel attacks at much higher detection rates (state of the art is around 80%) while keeping the false positive rates very low (0.1% or better). Detecting novel attacks will require better anomaly detection algorithms. Achieving a 99.9% detection rate will require gaining a firm understanding of the "sweet spots" of various detection algorithms, as well as an understanding of how to fuse the results of the best of the best. There is also a need to better represent knowledge of attack patterns in a canonical form, to be able to share that knowledge across multiple detection tools, and to be able to judge tools on the basis of how effectively they use knowledge, as opposed to which tool can include the largest corpus of precompiled (pattern-based) knowledge into its on-line database.The session concludes with an open discussion of how research communities can work together to reduce undependability caused by intentionally malicious faults.