Abstract
We present an overview of anomaly detection used in computer security, and provide a detailed example of a host-based Intrusion Detection System that monitors file systems to detect abnormal accesses. The File Wrapper Anomaly Detector (FWRAP) has two parts, a sensor that audits file systems, and an unsupervised machine learning system that computes normal models of those accesses. FWRAP employs the Probabilistic Anomaly Detection (PAD) algorithm previously reported in our work on Windows Registry Anomaly Detection. FWRAP represents a general approach to anomaly detection. The detector is first trained by operating the host computer for some amount of time and a model specific to the target machine is automatically computed by PAD. The model is then deployed to a real-time detector. In this paper we describe the feature set used to model file system accesses, and the performance results of a set of experiments using the sensor while attacking a Linux host with a variety of malware exploits. The PAD detector achieved impressive detection rates in some cases over 95% and about a 2% false positive rate when alarming on anomalous processes.
Keywords
This work has been supported in part by a contract from DARPA, Application-layer IDS, Contract No. F30602-00-1-0603.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Apap, F., Honig, A., Hershkop, S., Eskin, E., Stolfo, S.: Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 36. Springer, Heidelberg (2002)
Balzer, R.: Mediating Connectors. In: 19th IEEE International Conference on Distributed Computing Systems Workshop (1994)
Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering 222, SE-13 (1987)
Eskin, E.: Anomaly Detection Over Noisy Data Using Learned Probability Distributions. In: Proceedings of the 17th Int’l Conf. on Machine Learning, ICML-2000 (2000)
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.J.: A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. Data Mining for Security Applications. Kluwer (2002)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for UNIX Processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)
Ghosh, A.K., Schwartzbard, A., Schatz, M.: Learning Program Behavior Profiles for Intrusion Detection. In: Workshop Intrusion Detection and Network Monitoring (1999)
Heller, K.A., Svore, K.M., Keromytis, A.D., Stolfo, S.J.: One Class Support Vector Machines for Detecting Anomalous Window Registry Accesses. In: 3rd IEEE Conference Data Mining Workshop on Data Mining for Computer Security, November 19 (2003)
Javitz, H.S., Valdes, A.: The NIDES Statistical Component: Description and Justification. Technical report. SRI International (1993)
Lee, W., Stolfo, S.J., Chan, P.K.: Learning patterns from UNIX processes execution traces for intrusion detection. In: AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 50–56 (1997)
Lee, W., Stolfo, S.: A Framework for Constructing Features and Models for Intrusion Detection Systems. In: Proceedings of 1999 IEEE Symposium on Computer Security and Privacy and the Proceedings of the 8th ACM SIGKDD Int. Conf. on Knowledge Discovery and Data Mining (1999)
Mahoney, M.V., Chan, P.K.: Detecting Novel Attacks by Identifying anomalous Network Packet Headers. Florida Institute of Technology Technical Report CS-2001-2 (1999)
Maxion, R., Townsend, T.: Masquerade Detection Using Truncated Command Lines. In: International Conference on Dependable Systems and Networks (DSN 2002), Washington, D.C. (2002)
Michael, C.C., Ghosh, A.: Simple, State-based approaches to Program-based Anomaly Detection. ACM Trans. on Information and System Security, TISSEC 5 (2002)
Portnoy, L., Eskin, E., Stolfo, S.J.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA-2001), Philadelphia, PA (2001)
Schonlau, M., DuMouchel, W., Ju, W., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 58–74 (2001)
Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector. IEEE Symp. On Security and Privacy (2002)
Taylor, C., Alves-Foss, J.: NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach. In: Proceedings New Security Paradigms Workshop (2001)
Vigna, G., Valeur, F., Kemmerer, R.: Designing and Implementing a Family of Intrusion Detection Systems. In: Proc. 9th European software engineering conference (2003)
Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: Ninth ACM Conference on Computer and Communications Security (2002)
Wang, K., Stolfo, S.: One-Class Training for Masquerade Detection. In: 3rd IEEE International Conference on Data Mining, Workshop on Data Mining for Security Applications, Florida (November 2003)
Wang, K., Stolfo, S.J.: Anomalous Payload-based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Warrender, C., Forrest, S., Pearluter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. IEEE Computer Society, Los Alamitos (1999)
Ye, N.: A Markov Chain Model of Temporal Behavior for Anomaly Detection. In: Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY (2000)
Zadok, E., Nieh, J.: FiST: A Language for Stackable File Systems. In: Usenix Technical Conference (June 2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stolfo, S.J., Hershkop, S., Bui, L.H., Ferster, R., Wang, K. (2005). Anomaly Detection in Computer Security and an Application to File System Accesses. In: Hacid, MS., Murray, N.V., Raś, Z.W., Tsumoto, S. (eds) Foundations of Intelligent Systems. ISMIS 2005. Lecture Notes in Computer Science(), vol 3488. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11425274_2
Download citation
DOI: https://doi.org/10.1007/11425274_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25878-0
Online ISBN: 978-3-540-31949-8
eBook Packages: Computer ScienceComputer Science (R0)