Anomaly-Based Intrusion Detection System Sharing Normal Behavior Databases among Different Machines

A number of studies have examined anomaly detection systems based ontraining of system call sequences in the normal execution ofapplications. However, many of these anomaly detection systems havelow detection accuracy when the training is not sufficient. Thisoccurs because the normal behavior data obtained through training onone machine cannot be used for detection on another machine. In thispaper, we propose an anomaly detection system that sharesnormal behavior data between multiple machines. In the proposedsystem, normal behavior data obtained on each machine is accumulatedin a server and the integrated data is distributed to each machine.This system improves the detection accuracy by integrating the dataused for anomaly detection on each machine. The proposed system notonly provides a straightforward algorithm for integration, but alsotwo improved algorithms, namely, the majority algorithm and thesimilarity algorithm. The proposed system was implemented on theLinux operating system, and its behavior was compared experimentallywith that of an existing system.

[1]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[2]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[3]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[4]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[5]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[6]  Angelos D. Keromytis,et al.  Software Self-Healing Using Collaborative Application Communities , 2006, NDSS.

[7]  R. Sekar,et al.  Dataflow anomaly detection , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Kymie M. C. Tan,et al.  "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[9]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[10]  Salvatore J. Stolfo,et al.  Casting out Demons: Sanitizing Training Data for Anomaly Sensors , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).