Impact of sanitized message flows in a cooperative intrusion warning system
MILCOM'06 Proceedings of the 2006 IEEE conference on Military communications
| Hi-index | 0.00 |
This paper presents an anomaly detection approach for application in Meta IDS environments, where locally generated event messages from several domains are centrally processed. The basicapproach has been successfully used for detection of abnormal traffic structures in computer networks. It creates directed graphs from address specifications contained within event messages and generates clusterings of the graphs. Large differences between subsequent clusterings indicate anomalies. This anomaly detection approach is part of an intrusion warning system (IWS) for dynamic coalition environments. It is designed to indicate suspisious actions and tendencies and to provide decision support on how to react on anomalies. Real-world data, mixed with data from a simulated internet worm, is used to analyze the system. The results prove the applicability of our approach.