Locality-Based Server Profiling for Intrusion Detection

Detection of intrusion on network servers plays an ever more important role in network security. This paper investigates whether analysis of incoming connection behavior for properties of locality can be used to create a normal profile for network servers. Intrusions can then be detected due to their abnormal behavior. Experiments show that connections to a typical network server do in fact exhibit locality, and attacks can be detected through their violation of locality.

[1]  Randy H. Katz,et al.  BINDER: An Extrusion-Based Break-In Detector for Personal Computers , 2005, USENIX Annual Technical Conference, General Track.

[2]  Vyas Sekar,et al.  A Multi-Resolution Approach forWorm Detection and Containment , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[3]  Vyas Sekar,et al.  Is Host-Based Anomaly Detection + Temporal Correlation = Worm Causality , 2007 .

[4]  John McHugh,et al.  Locality: a new paradigm for thinking about normal behavior and outsider threat , 2003, NSPW '03.

[5]  Robert Morris,et al.  Designing a framework for active worm detection on global networks , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[6]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[7]  Stephanie Forrest,et al.  An immunological model of distributed detection and its application to computer security , 1999 .

[8]  Sheau-Dong Lang,et al.  Locality-based profile analysis for secondary intrusion detection , 2005, 8th International Symposium on Parallel Architectures,Algorithms and Networks (ISPAN'05).