Post-Patch Retraining for Host-Based Anomaly Detection

Applying patches, although a disruptive activity, remains a vital part of software maintenance and defense. When host-based anomaly detection (AD) sensors monitor an application, patching the application requires a corresponding update of the sensor’s behavioral model. Otherwise, the sensor may incorrectly classify new behavior as malicious (a false positive) or assert that old, incorrect behavior is normal (a false negative). Although the problem of “model drift” is an almost universally acknowledged hazard for AD sensors, relatively little work has been done to understand the process of re-training a “live” AD model — especially in response to legal behavioral updates like vendor patches or repairs produced by a self-healing system. We investigate the feasibility of automatically deriving and applying a “model patch” that describes the changes necessary to update a “reasonable” host-based AD behavioral model (i.e., a model whose structure follows the core design principles of existing host–based anomaly models). We aim to avoid extensive retraining and regeneration of the entire AD model when only parts may have changed — a task that seems especially undesirable after the exhaustive testing necessary to deploy a patch.

[1]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[2]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[3]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[4]  Christopher Krügel,et al.  Service specific anomaly detection for network intrusion detection , 2002, SAC '02.

[5]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[6]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[7]  Pau-Chen Cheng,et al.  BlueBoX: A policy-driven, host-based intrusion detection system , 2003, TSEC.

[8]  Debin Gao,et al.  Gray-box extraction of execution graphs for anomaly detection , 2004, CCS '04.

[9]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[10]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[11]  Tsang-Long Pao,et al.  NetFlow based intrusion detection system , 2004, IEEE International Conference on Networking, Sensing and Control, 2004.

[12]  Somesh Jha,et al.  Environment-Sensitive Intrusion Detection , 2005, RAID.

[13]  Salvatore J. Stolfo,et al.  A comparative evaluation of two algorithms for Windows Registry Anomaly Detection , 2005, J. Comput. Secur..

[14]  Salvatore J. Stolfo,et al.  FLIPS: Hybrid Adaptive Intrusion Prevention , 2005, RAID.

[15]  Angelos D. Keromytis,et al.  Detecting Targeted Attacks Using Shadow Honeypots , 2005, USENIX Security Symposium.

[16]  Debin Gao,et al.  Behavioral Distance for Intrusion Detection , 2005, RAID.

[17]  Salvatore J. Stolfo,et al.  Anagram: A Content Anomaly Detector Resistant to Mimicry Attack , 2006, RAID.

[18]  Carrie Gates,et al.  Challenging the anomaly detection paradigm: a provocative discussion , 2006, NSPW '06.

[19]  Wenke Lee,et al.  Evading network anomaly detection systems: formal reasoning and practical techniques , 2006, CCS '06.

[20]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[21]  Salvatore J. Stolfo,et al.  Data sanitization: improving the forensic utility of anomaly detection systems , 2007 .

[22]  Hui-bo Jia,et al.  A Low-Cost Method to Intrusion Detection System Using Sequences of System Calls , 2009, 2009 Second International Conference on Information and Computing Science.