TY - GEN
T1 - Keep your friends close
T2 - 2nd ACM Workshop on Security and Artificial Intelligence, AISec '09, Co-located with the 16th ACM Computer and Communications Security Conference, CCS'09
AU - Stavrou, Angelos
AU - Cretu-Ciocarlie, Gabriela F.
AU - Locasto, Michael E.
AU - Stolfo, Salvatore J.
PY - 2009
Y1 - 2009
N2 - Large-scale distributed systems have dense, complex code-bases that are assumed to perform multiple and inter-dependent tasks while user interaction is present. The way users interact with systems can differ and evolve over time, as can the systems themselves. Consequently, anomaly detection (AD) sensors must be able to cope with updates to their operating environment. Otherwise, the sensor may incorrectly classify new patterns as malicious (a false positive) or assert that old or outdated patterns are normal (a false negative). This problem of "model drift" is an almost universally acknowledged hazard for anomaly sensors. However, relatively little work has been done to understand the process of identifying and seamlessly updating an operational network AD sensor with legal modifications like changes to a file system or back-end database. In this paper, we highlight some of the challenges of keeping an anomaly sensor updated, an important step toward helping anomaly sensors become a practical intrusion detection tool for real-world network and host environments. Our goal is to eliminate needless false positives arising from the gradual de-synchronization of the sensor from the environment it is monitoring. To that end, we investigate the feasibility of automatically deriving and applying a "data" or "model patch" that describes the changes necessary to update a "reasonable" AD behavioral model (i.e., a model whose structure follows the core design principles of existing anomaly models). We propose an update procedure that is holistic in nature: specifically, we present preliminary results on how to update a sensor that monitors the request and response messages for non-dynamic HTTP requests and software patches. In addition, we propose extensions for dynamic, database-driven requests and responses.
AB - Large-scale distributed systems have dense, complex code-bases that are assumed to perform multiple and inter-dependent tasks while user interaction is present. The way users interact with systems can differ and evolve over time, as can the systems themselves. Consequently, anomaly detection (AD) sensors must be able to cope with updates to their operating environment. Otherwise, the sensor may incorrectly classify new patterns as malicious (a false positive) or assert that old or outdated patterns are normal (a false negative). This problem of "model drift" is an almost universally acknowledged hazard for anomaly sensors. However, relatively little work has been done to understand the process of identifying and seamlessly updating an operational network AD sensor with legal modifications like changes to a file system or back-end database. In this paper, we highlight some of the challenges of keeping an anomaly sensor updated, an important step toward helping anomaly sensors become a practical intrusion detection tool for real-world network and host environments. Our goal is to eliminate needless false positives arising from the gradual de-synchronization of the sensor from the environment it is monitoring. To that end, we investigate the feasibility of automatically deriving and applying a "data" or "model patch" that describes the changes necessary to update a "reasonable" AD behavioral model (i.e., a model whose structure follows the core design principles of existing anomaly models). We propose an update procedure that is holistic in nature: specifically, we present preliminary results on how to update a sensor that monitors the request and response messages for non-dynamic HTTP requests and software patches. In addition, we propose extensions for dynamic, database-driven requests and responses.
KW - Anomaly detection
KW - Concept drift
KW - Model update
UR - https://www.scopus.com/pages/publications/74049136397
UR - https://www.scopus.com/pages/publications/74049136397#tab=citedBy
U2 - 10.1145/1654988.1655000
DO - 10.1145/1654988.1655000
M3 - Conference contribution
AN - SCOPUS:74049136397
SN - 9781605587813
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 39
EP - 45
BT - Proceedings of 2nd ACM Workshop on Security and Artificial Intelligence, AISec '09, Co-located with the 16th ACM Computer and Communications Security Conference, CCS'09
Y2 - 9 November 2009 through 13 November 2009
ER -