Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2004: Recent Advances in Intrusion Detection pp 238–257Cite as

Seurat: A Pointillist Approach to Anomaly Detection

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3224))

Abstract

This paper proposes a new approach to detecting aggregated anomalous events by correlating host file system changes across space and time. Our approach is based on a key observation that many host state transitions of interest have both temporal and spatial locality. Abnormal state changes, which may be hard to detect in isolation, become apparent when they are correlated with similar changes on other hosts. Based on this intuition, we have developed a method to detect similar, coincident changes to the patterns of file updates that are shared across multiple hosts. We have implemented this approach in a prototype system called Seurat and demonstrated its effectiveness using a combination of real workstation cluster traces, simulated attacks, and a manually launched Linux worm.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proceedings of the 20th National Information Systems Security Conference (1997)

    Google Scholar 

  2. Abad, C., Taylor, J., Sengul, C., Zhou, Y., Yurcik, W., Rowe, K.: Log Correlation for Intrusion Detection: A Proof of Concept. In: Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, Nevada, USA (2003)

    Google Scholar 

  3. Kruegel, C., Toth, T., Kerer, C.: Decentralized Event Correlation for Intrusion Detection. In: International Conference on Information Security and Cryptology, ICISC (2001)

    Google Scholar 

  4. Tripwire, Inc.: Tripwire, http://www.tripwire.com

  5. CERT Coordination Center: Overview of Attack Trends, http://www.cert.org/archive/pdf/attack_trends.pdf (2002)

  6. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Security and Privacy 1, 33–39 (2003)

    Google Scholar 

  7. Pennington, A., Strunk, J., Griffin, J., Soules, C., Goodson, G., Ganger, G.: Storage-based intrusion detection: Watching storage activity for suspicious behavior. In: Proceedings of 12th USENIX Security Symposium, Washington, DC (2003)

    Google Scholar 

  8. Lehti, R., Virolainen, P.: AIDE - Advanced Intrusion Detection Environment, http://www.cs.tut.fi/~rammer/aide.html

  9. Berry, M.W., Drmac, Z., Jessup, E.R.: Matrices, vector spaces, and information retrieval. SIAM Review 41 (1999)

    Google Scholar 

  10. Kamber, M.: Data mining: Concepts and techniques. Morgan Kaufmann Publishers, San Francisco (2000)

    Google Scholar 

  11. Zhang, J., Tsui, F., Wagner, M.M., Hogan, W.R.: Detection of Outbreaks from Time Series Data Using Wavelet Transform. In: AMIA Fall Symp., pp. 748–752. Omni Press CD (2003)

    Google Scholar 

  12. Jolliffe, I.T.: Principle component analysis. Springer, New York (1986)

    MATH  Google Scholar 

  13. Forgy, E.: Cluster analysis of multivariante data: Efficiency vs. Interpretability of classifications. Biometrics 21 (1965)

    Google Scholar 

  14. Gersho, A., Gray, R.: Vector Quantization and Signal Compresssion. Kluwer Academic Publishers, Dordrecht (1992)

    Google Scholar 

  15. Moore, A.: K-means and Hierarchical Clustering, http://www.cs.cmu.edu/~awm/tutorials/kmeans09.pdf (available upon request) (2001)

  16. Symantec: Symantec Security Response, http://securityresponse.symantec.com

  17. F-Secure: F-Secure Security Information Center, http://www.f-secure.com/virus-info

  18. Whitehats, Inc.: Whitehats Network Security Resource, http://www.whitehats.com

  19. PacketStorm: Packet Storm, http://www.packetstormsecurity.org

  20. SANS Institute: Lion Worm, http://www.sans.org/y2k/lion.htm (2001)

  21. Wagner, D., Dean, D.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of ACMConference on Computer and Communications Security, CCS (2002)

    Google Scholar 

  22. Trusted Computing Platform Alliance: Trusted Computing Platform Alliance, http://www.trustedcomputing.org

  23. Schneier, B., Kelsey, J.: Cryptographic Support for Secure Logs on Untrusted Machines. In: The Seventh USENIX Security Symposium (1998)

    Google Scholar 

  24. Balasubramaniyan, J.S., Garcia-Fernandez, J.O., Isacoff, D., Spafford, E., Zamboni, D.: An architecture for intrusion detection using autonomous agents. In: Proceedings of the 14th IEEE Computer Security Applications Conference (1998)

    Google Scholar 

  25. Xie, Y., O’Hallaron, D.R., Reiter, M.K.: A Secure Distributed Search System. In: Proceedings of the 11th IEEE International Symposium on High Performance Distributed Computing (2002)

    Google Scholar 

  26. Planetlab: PlanetLab, http://www.planet-lab.org

  27. Samhain Labs: Samhain, http://la-samhna.de/samhain

  28. Pedestal Software: INTACTTM, http://www.pedestalsoftware.com/products/intact

  29. Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Rowe, J., Staniford- Chen, S., Yip, R., Zerkle, D.: The Design of GrIDS: A Graph-Based Intrusion Detection System. Technical Report CSE-99-2, U.C. Davis Computer Science Department (1999)

    Google Scholar 

  30. White, G., Fisch, E., Pooch, U.: Cooperating security managers: A peer-based intrusion detection system. IEEE Network 10 (1994)

    Google Scholar 

  31. Snapp, S.R., Smaha, S.E., Teal, D.M., Grance, T.: The DIDS (distributed intrusion detection system) prototype. In: The Summer USENIX Conference, San Antonio, Texas, USENIX Association, pp. 227–233 (1992)

    Google Scholar 

  32. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  33. Andersson, D., Fong, M., Valdes, A.: Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis. Presented at IEEE Information Assurance Workshop (2002)

    Google Scholar 

  34. Ning, P., Cui, Y., Reeves, D.S.: Analyzing Intensive Intrusion Alerts Via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  35. Wang, H.J., Hu, Y.-C., Yuan, C., Zhang, Z., Wang, Y.-M.: Friends troubleshooting network: Towards privacy-preserving, automatic troubleshooting. In: Voelker, G.M., Shenker, S. (eds.) IPTPS 2004. LNCS, vol. 3279, pp. 184–194. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science,  

    Yinglian Xie, Hyang-Ah Kim, David R. O’Hallaron, Michael K. Reiter & Hui Zhang

  2. Department of Electrical and Computer Engineering, Carnegie Mellon University,  

    David R. O’Hallaron, Michael K. Reiter & Hui Zhang

Authors
  1. Yinglian Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyang-Ah Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David R. O’Hallaron
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michael K. Reiter
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Hui Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson  & Magnus Almgren  & 

  2. SRI International, 333 Ravenswood Ave., CA 94025, Menlo Park, USA

    Alfonso Valdes

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Xie, Y., Kim, HA., O’Hallaron, D.R., Reiter, M.K., Zhang, H. (2004). Seurat: A Pointillist Approach to Anomaly Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30143-1_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23123-3

  • Online ISBN: 978-3-540-30143-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation