论文信息 - Locality-based profile analysis for secondary intrusion detection

Locality-based profile analysis for secondary intrusion detection

While a firewall at the perimeter of a local network provides the first line of defense against attackers, many intrusion incidents result from successful penetration of the firewall. The compromise of one computer puts the entire network at risk. We propose a distributed personal intrusion detection system (IDS) that provides local anomaly detection as well as centralized traffic analysis. The system first builds profiles for normal network activity and then labels as suspicious any events that deviate from the normal profiles. The normal profiles are based on variations in connection-based behavior at each individual host. Deviations at each host are recorded using a local weight assignment scheme and then further processed by the central analyzer to build a weighted link graph representing the overall network abnormality. As local networks become more vulnerable to inside attack, our system reinforces security to prevent corruption from the inside.

Sheau-Dong Lang | Robert Lee | Mian Zhou

[1] John McHugh,et al. Locality: a new paradigm for thinking about normal behavior and outsider threat , 2003, NSPW '03.

[2] George C. Polyzos,et al. A Parameterizable Methodology for Internet Traffic Flow Profiling , 1995, IEEE J. Sel. Areas Commun..

[3] Chengqi Zhang,et al. MA-IDS Architecture for Distributed Intrusion Detection using Mobile Agent , 2004 .

[4] Christopher Krügel,et al. Decentralized Event Correlation for Intrusion Detection , 2001, ICISC.

[5] Matthew M. Williamson,et al. Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[6] Wei Jiang,et al. The Mahalanobis–Taguchi Strategy , 2003, Technometrics.

[7] Christopher Kruegel,et al. Connection-History Based Anomaly Detection , 2002 .

[8] Christopher Krügel,et al. Distributed Pattern Detection for Intrusion Detection , 2002, NDSS.

[9] Robert Morris,et al. Designing a framework for active worm detection on global networks , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..