Abstract
This paper proposes a new approach to detecting aggregated anomalous events by correlating host file system changes across space and time. Our approach is based on a key observation that many host state transitions of interest have both temporal and spatial locality. Abnormal state changes, which may be hard to detect in isolation, become apparent when they are correlated with similar changes on other hosts. Based on this intuition, we have developed a method to detect similar, coincident changes to the patterns of file updates that are shared across multiple hosts. We have implemented this approach in a prototype system called Seurat and demonstrated its effectiveness using a combination of real workstation cluster traces, simulated attacks, and a manually launched Linux worm.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proceedings of the 20th National Information Systems Security Conference (1997)
Abad, C., Taylor, J., Sengul, C., Zhou, Y., Yurcik, W., Rowe, K.: Log Correlation for Intrusion Detection: A Proof of Concept. In: Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, Nevada, USA (2003)
Kruegel, C., Toth, T., Kerer, C.: Decentralized Event Correlation for Intrusion Detection. In: International Conference on Information Security and Cryptology, ICISC (2001)
Tripwire, Inc.: Tripwire, http://www.tripwire.com
CERT Coordination Center: Overview of Attack Trends, http://www.cert.org/archive/pdf/attack_trends.pdf (2002)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Security and Privacy 1, 33–39 (2003)
Pennington, A., Strunk, J., Griffin, J., Soules, C., Goodson, G., Ganger, G.: Storage-based intrusion detection: Watching storage activity for suspicious behavior. In: Proceedings of 12th USENIX Security Symposium, Washington, DC (2003)
Lehti, R., Virolainen, P.: AIDE - Advanced Intrusion Detection Environment, http://www.cs.tut.fi/~rammer/aide.html
Berry, M.W., Drmac, Z., Jessup, E.R.: Matrices, vector spaces, and information retrieval. SIAM Review 41 (1999)
Kamber, M.: Data mining: Concepts and techniques. Morgan Kaufmann Publishers, San Francisco (2000)
Zhang, J., Tsui, F., Wagner, M.M., Hogan, W.R.: Detection of Outbreaks from Time Series Data Using Wavelet Transform. In: AMIA Fall Symp., pp. 748–752. Omni Press CD (2003)
Jolliffe, I.T.: Principle component analysis. Springer, New York (1986)
Forgy, E.: Cluster analysis of multivariante data: Efficiency vs. Interpretability of classifications. Biometrics 21 (1965)
Gersho, A., Gray, R.: Vector Quantization and Signal Compresssion. Kluwer Academic Publishers, Dordrecht (1992)
Moore, A.: K-means and Hierarchical Clustering, http://www.cs.cmu.edu/~awm/tutorials/kmeans09.pdf (available upon request) (2001)
Symantec: Symantec Security Response, http://securityresponse.symantec.com
F-Secure: F-Secure Security Information Center, http://www.f-secure.com/virus-info
Whitehats, Inc.: Whitehats Network Security Resource, http://www.whitehats.com
PacketStorm: Packet Storm, http://www.packetstormsecurity.org
SANS Institute: Lion Worm, http://www.sans.org/y2k/lion.htm (2001)
Wagner, D., Dean, D.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of ACMConference on Computer and Communications Security, CCS (2002)
Trusted Computing Platform Alliance: Trusted Computing Platform Alliance, http://www.trustedcomputing.org
Schneier, B., Kelsey, J.: Cryptographic Support for Secure Logs on Untrusted Machines. In: The Seventh USENIX Security Symposium (1998)
Balasubramaniyan, J.S., Garcia-Fernandez, J.O., Isacoff, D., Spafford, E., Zamboni, D.: An architecture for intrusion detection using autonomous agents. In: Proceedings of the 14th IEEE Computer Security Applications Conference (1998)
Xie, Y., O’Hallaron, D.R., Reiter, M.K.: A Secure Distributed Search System. In: Proceedings of the 11th IEEE International Symposium on High Performance Distributed Computing (2002)
Planetlab: PlanetLab, http://www.planet-lab.org
Samhain Labs: Samhain, http://la-samhna.de/samhain
Pedestal Software: INTACTTM, http://www.pedestalsoftware.com/products/intact
Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Rowe, J., Staniford- Chen, S., Yip, R., Zerkle, D.: The Design of GrIDS: A Graph-Based Intrusion Detection System. Technical Report CSE-99-2, U.C. Davis Computer Science Department (1999)
White, G., Fisch, E., Pooch, U.: Cooperating security managers: A peer-based intrusion detection system. IEEE Network 10 (1994)
Snapp, S.R., Smaha, S.E., Teal, D.M., Grance, T.: The DIDS (distributed intrusion detection system) prototype. In: The Summer USENIX Conference, San Antonio, Texas, USENIX Association, pp. 227–233 (1992)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)
Andersson, D., Fong, M., Valdes, A.: Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis. Presented at IEEE Information Assurance Workshop (2002)
Ning, P., Cui, Y., Reeves, D.S.: Analyzing Intensive Intrusion Alerts Via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, Springer, Heidelberg (2002)
Wang, H.J., Hu, Y.-C., Yuan, C., Zhang, Z., Wang, Y.-M.: Friends troubleshooting network: Towards privacy-preserving, automatic troubleshooting. In: Voelker, G.M., Shenker, S. (eds.) IPTPS 2004. LNCS, vol. 3279, pp. 184–194. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Xie, Y., Kim, HA., O’Hallaron, D.R., Reiter, M.K., Zhang, H. (2004). Seurat: A Pointillist Approach to Anomaly Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-30143-1_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23123-3
Online ISBN: 978-3-540-30143-1
eBook Packages: Springer Book Archive