论文信息 - Keep your friends close: the necessity for updating an anomaly sensor with legitimate environment changes

Keep your friends close: the necessity for updating an anomaly sensor with legitimate environment changes

Large-scale distributed systems have dense, complex code-bases that are assumed to perform multiple and inter-dependent tasks while user interaction is present. The way users interact with systems can differ and evolve over time, as can the systems themselves. Consequently, anomaly detection (AD) sensors must be able to cope with updates to their operating environment. Otherwise, the sensor may incorrectly classify new patterns as malicious (a false positive) or assert that old or outdated patterns are normal (a false negative). This problem of "model drift" is an almost universally acknowledged hazard for anomaly sensors. However, relatively little work has been done to understand the process of identifying and seamlessly updating an operational network AD sensor with legal modifications like changes to a file system or back-end database. In this paper, we highlight some of the challenges of keeping an anomaly sensor updated, an important step toward helping anomaly sensors become a practical intrusion detection tool for real-world network and host environments. Our goal is to eliminate needless false positives arising from the gradual de-synchronization of the sensor from the environment it is monitoring. To that end, we investigate the feasibility of automatically deriving and applying a "data" or "model patch" that describes the changes necessary to update a "reasonable" AD behavioral model (i.e., a model whose structure follows the core design principles of existing anomaly models). We propose an update procedure that is holistic in nature: specifically, we present preliminary results on how to update a sensor that monitors the request and response messages for non-dynamic HTTP requests and software patches. In addition, we propose extensions for dynamic, database-driven requests and responses.

Salvatore J. Stolfo | Angelos Stavrou | Michael E. Locasto | Gabriela F. Cretu-Ciocarlie

[1] Salvatore J. Stolfo,et al. Adaptive Anomaly Detection via Self-calibration and Dynamic Updating , 2009, RAID.

[2] Carla E. Brodley,et al. Approaches to Online Learning and Concept Drift for User Identification in Computer Security , 1998, KDD.

[3] Salvatore J. Stolfo,et al. A comparative evaluation of two algorithms for Windows Registry Anomaly Detection , 2005, J. Comput. Secur..

[4] Salvatore J. Stolfo,et al. Casting out Demons: Sanitizing Training Data for Anomaly Sensors , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[5] Christopher Krügel,et al. Protecting a Moving Target: Addressing Web Application Concept Drift , 2009, RAID.

[6] Salvatore J. Stolfo,et al. Anomalous Payload-Based Worm Detection and Signature Generation , 2005, RAID.

[7] Debin Gao,et al. Behavioral Distance for Intrusion Detection , 2005, RAID.

[8] Salvatore J. Stolfo,et al. Anagram: A Content Anomaly Detector Resistant to Mimicry Attack , 2006, RAID.

[9] Niels Provos,et al. Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[10] Peng Li,et al. Automatically Adapting a Trained Anomaly Detector to Software Patches , 2009, RAID.