Skip to main content
SpringerLink
Log in

Anomaly Detection in Computer Security and an Application to File System Accesses

  • Conference paper
Foundations of Intelligent Systems (ISMIS 2005)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 3488))

Included in the following conference series:

Abstract

We present an overview of anomaly detection used in computer security, and provide a detailed example of a host-based Intrusion Detection System that monitors file systems to detect abnormal accesses. The File Wrapper Anomaly Detector (FWRAP) has two parts, a sensor that audits file systems, and an unsupervised machine learning system that computes normal models of those accesses. FWRAP employs the Probabilistic Anomaly Detection (PAD) algorithm previously reported in our work on Windows Registry Anomaly Detection. FWRAP represents a general approach to anomaly detection. The detector is first trained by operating the host computer for some amount of time and a model specific to the target machine is automatically computed by PAD. The model is then deployed to a real-time detector. In this paper we describe the feature set used to model file system accesses, and the performance results of a set of experiments using the sensor while attacking a Linux host with a variety of malware exploits. The PAD detector achieved impressive detection rates in some cases over 95% and about a 2% false positive rate when alarming on anomalous processes.

This work has been supported in part by a contract from DARPA, Application-layer IDS, Contract No. F30602-00-1-0603.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Apap, F., Honig, A., Hershkop, S., Eskin, E., Stolfo, S.: Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 36. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  2. Balzer, R.: Mediating Connectors. In: 19th IEEE International Conference on Distributed Computing Systems Workshop (1994)

    Google Scholar 

  3. Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering 222, SE-13 (1987)

    Google Scholar 

  4. Eskin, E.: Anomaly Detection Over Noisy Data Using Learned Probability Distributions. In: Proceedings of the 17th Int’l Conf. on Machine Learning, ICML-2000 (2000)

    Google Scholar 

  5. Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.J.: A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. Data Mining for Security Applications. Kluwer (2002)

    Google Scholar 

  6. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for UNIX Processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)

    Google Scholar 

  7. Ghosh, A.K., Schwartzbard, A., Schatz, M.: Learning Program Behavior Profiles for Intrusion Detection. In: Workshop Intrusion Detection and Network Monitoring (1999)

    Google Scholar 

  8. Heller, K.A., Svore, K.M., Keromytis, A.D., Stolfo, S.J.: One Class Support Vector Machines for Detecting Anomalous Window Registry Accesses. In: 3rd IEEE Conference Data Mining Workshop on Data Mining for Computer Security, November 19 (2003)

    Google Scholar 

  9. Javitz, H.S., Valdes, A.: The NIDES Statistical Component: Description and Justification. Technical report. SRI International (1993)

    Google Scholar 

  10. Lee, W., Stolfo, S.J., Chan, P.K.: Learning patterns from UNIX processes execution traces for intrusion detection. In: AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 50–56 (1997)

    Google Scholar 

  11. Lee, W., Stolfo, S.: A Framework for Constructing Features and Models for Intrusion Detection Systems. In: Proceedings of 1999 IEEE Symposium on Computer Security and Privacy and the Proceedings of the 8th ACM SIGKDD Int. Conf. on Knowledge Discovery and Data Mining (1999)

    Google Scholar 

  12. Mahoney, M.V., Chan, P.K.: Detecting Novel Attacks by Identifying anomalous Network Packet Headers. Florida Institute of Technology Technical Report CS-2001-2 (1999)

    Google Scholar 

  13. Maxion, R., Townsend, T.: Masquerade Detection Using Truncated Command Lines. In: International Conference on Dependable Systems and Networks (DSN 2002), Washington, D.C. (2002)

    Google Scholar 

  14. Michael, C.C., Ghosh, A.: Simple, State-based approaches to Program-based Anomaly Detection. ACM Trans. on Information and System Security, TISSEC 5 (2002)

    Google Scholar 

  15. Portnoy, L., Eskin, E., Stolfo, S.J.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA-2001), Philadelphia, PA (2001)

    Google Scholar 

  16. Schonlau, M., DuMouchel, W., Ju, W., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 58–74 (2001)

    Article  MATH  MathSciNet  Google Scholar 

  17. Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector. IEEE Symp. On Security and Privacy (2002)

    Google Scholar 

  18. Taylor, C., Alves-Foss, J.: NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach. In: Proceedings New Security Paradigms Workshop (2001)

    Google Scholar 

  19. Vigna, G., Valeur, F., Kemmerer, R.: Designing and Implementing a Family of Intrusion Detection Systems. In: Proc. 9th European software engineering conference (2003)

    Google Scholar 

  20. Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: Ninth ACM Conference on Computer and Communications Security (2002)

    Google Scholar 

  21. Wang, K., Stolfo, S.: One-Class Training for Masquerade Detection. In: 3rd IEEE International Conference on Data Mining, Workshop on Data Mining for Security Applications, Florida (November 2003)

    Google Scholar 

  22. Wang, K., Stolfo, S.J.: Anomalous Payload-based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  23. Warrender, C., Forrest, S., Pearluter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. IEEE Computer Society, Los Alamitos (1999)

    Google Scholar 

  24. Ye, N.: A Markov Chain Model of Temporal Behavior for Anomaly Detection. In: Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY (2000)

    Google Scholar 

  25. Zadok, E., Nieh, J.: FiST: A Language for Stackable File Systems. In: Usenix Technical Conference (June 2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Columbia University, New York, NY, 10027, USA

    Salvatore J. Stolfo, Shlomo Hershkop, Linh H. Bui, Ryan Ferster & Ke Wang

Authors
  1. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shlomo Hershkop
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Linh H. Bui
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ryan Ferster
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ke Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. LIRIS - UFR d’Informatique, Université Claude Bernard Lyon 1, 43, boulevard du 11 novembre 1918, 69622, Villeurbanne, France

    Mohand-Said Hacid

  2. Department of Computer Science, State University of New York, 12222, Albany, NY, USA

    Neil V. Murray

  3. Department of Computer Science, University of North Carolina, 28223, Charlotte, NC, USA

    Zbigniew W. RaÅ›

  4. Shimane University, 89-1 Enya-cho Izumo, 6938501, Shimane, Japan

    Shusaku Tsumoto

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stolfo, S.J., Hershkop, S., Bui, L.H., Ferster, R., Wang, K. (2005). Anomaly Detection in Computer Security and an Application to File System Accesses. In: Hacid, MS., Murray, N.V., RaÅ›, Z.W., Tsumoto, S. (eds) Foundations of Intelligent Systems. ISMIS 2005. Lecture Notes in Computer Science(), vol 3488. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11425274_2

Download citation

  • DOI: https://doi.org/10.1007/11425274_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-25878-0

  • Online ISBN: 978-3-540-31949-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation