Integrated detection of anomalous behavior of computer infrastructures

Our research concentrates on anomaly detection techniques, which have both industrial applications such as network monitoring and protection, as well as research applications such as software behavioral analysis or malware classification. During our doctoral research, we worked on anomaly detection from three different perspective, as a complex computer infrastructure has several weak spots that must be protected. We first focused on the operating system, central to any computer, to avoid malicious code to subvert its normal activity. Secondly, we concentrated on web applications, which are the main interface to modern computing: Because of their immense popularity, they have indeed become the most targeted entry point of intrusions. Last, we developed novel techniques with the aim of identifying related events (e.g., alerts reported by intrusion detection systems) to build new and more compact knowledge to detect malicious activity on large-scale systems. During our research we enhanced existing anomaly detection tools and also contributed with new ones. Such tools have been tested over different datasets, both synthetic data and real network traffic, and lead to interesting results that were accepted for publication at main security venues.

[1]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Worm Detection and Signature Generation , 2005, RAID.

[2]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[3]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[4]  Simson L. Garfinkel,et al.  Anti-Forensics: Techniques, Detection and Countermeasures , 2007 .

[5]  Andreas Stolcke,et al.  Hidden Markov Model} Induction by Bayesian Model Merging , 1992, NIPS.

[6]  Marcus A. Maloof,et al.  Dynamic Weighted Majority: An Ensemble Method for Drifting Concepts , 2007, J. Mach. Learn. Res..

[7]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[8]  Stefano Zanero,et al.  Analyzing TCP Traffic Patterns Using Self Organizing Maps , 2005, ICIAP.

[9]  Christof Fetzer,et al.  Switchblade: enforcing dynamic personalized system call models , 2008, Eurosys '08.

[10]  Sergio M. Savaresi,et al.  Unsupervised learning techniques for an intrusion detection system , 2004, SAC '04.

[11]  Hal Berghel,et al.  Hiding data, forensics, and anti-forensics , 2007, CACM.

[12]  Stefano Zanero,et al.  Finding Non-trivial Malware Naming Inconsistencies , 2011, ICISS.

[13]  Panu Somervuo,et al.  Self-organizing maps of symbol strings , 1998, Neurocomputing.

[14]  Matthew Geiger,et al.  Evaluating Commercial Counter-Forensic Tools , 2005, DFRWS.

[15]  F. Maggi,et al.  Integrated Detection of Attacks Against Browsers, Web Applications and Databases , 2009, 2009 European Conference on Computer Network Defense.

[16]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[17]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[18]  Sarah Granger,et al.  Social Engineering Fundamentals, Part I: Hacker Tactics , 2003 .

[19]  Gregory J. Conti,et al.  Toward Instrumenting Network Warfare Competitions to Generate Labeled Datasets , 2009, CSET.

[20]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[21]  Shawn Ostermann,et al.  Detecting Anomalous Network Traffic with Self-organizing Maps , 2003, RAID.

[22]  Stefano Zanero,et al.  Effective Multimodel Anomaly Detection Using Cooperative Negotiation , 2010, GameSec.

[23]  Stefano Zanero,et al.  Selecting and Improving System Call Models for Anomaly Detection , 2009, DIMVA.

[24]  Stefano Zanero Behavioral Intrusion Detection , 2004, ISCIS.

[25]  Stefano Zanero,et al.  Reducing false positives in anomaly detectors through fuzzy alert aggregation , 2009, Inf. Fusion.

[26]  Abhi Shelat,et al.  Remembrance of Data Passed: A Study of Disk Sanitization Practices , 2003, IEEE Secur. Priv..

[27]  Christopher Krügel,et al.  Effective Anomaly Detection with Scarce Training Data , 2010, NDSS.

[28]  Yehuda Vardi,et al.  A Hybrid High-Order Markov Chain Model for Computer Intrusion Detection , 2001 .

[29]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[30]  Christian N. S. Pedersen,et al.  Metrics and Similarity Measures for Hidden Markov Models , 1999, ISMB.

[31]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[32]  Andreas Stolcke,et al.  Best-first Model Merging for Hidden Markov Model Induction , 1994, ArXiv.

[33]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[34]  Stefano Zanero,et al.  Detecting Intrusions through System Call Sequence and Argument Analysis , 2010, IEEE Transactions on Dependable and Secure Computing.

[35]  Salvatore J. Stolfo,et al.  Anagram: A Content Anomaly Detector Resistant to Mimicry Attack , 2006, RAID.

[36]  Pieter H. Hartel,et al.  POSEIDON: a 2-tier anomaly-based network intrusion detection system , 2006, Fourth IEEE International Workshop on Information Assurance (IWIA'06).

[37]  Christopher Krügel,et al.  Protecting a Moving Target: Addressing Web Application Concept Drift , 2009, RAID.

[38]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[39]  Stephanie Forrest,et al.  Learning DFA representations of HTTP for protecting web applications , 2007, Comput. Networks.

[40]  Stefano Zanero,et al.  Seeing the invisible: forensic uses of anomaly detection and machine learning , 2008, OPSR.

[41]  Philip K. Chan,et al.  Learning rules for anomaly detection of hostile network traffic , 2003, Third IEEE International Conference on Data Mining.

[42]  Stefano Zanero,et al.  On the Use of Different Statistical Tests for Alert Correlation - Short Paper , 2007, RAID.

[43]  Marc Dacier,et al.  A revised taxonomy for intrusion-detection systems , 2000, Ann. des Télécommunications.

[44]  Sung Deok Cha,et al.  SAD: web session anomaly detection based on parameter estimation , 2004, Comput. Secur..

[45]  Hervé Debar,et al.  Time series modeling for IDS alert management , 2006, ASIACCS '06.

[46]  Thorsten Holz A Short Visit to the Bot Zoo , 2005, IEEE Secur. Priv..

[47]  Stefano Zanero,et al.  BURN: baring unknown rogue networks , 2011, VizSec '11.

[48]  Philip K. Chan,et al.  Detecting novel attacks by identifying anomalous network packet headers , 2001 .

[49]  Rui Xu,et al.  Survey of clustering algorithms , 2005, IEEE Transactions on Neural Networks.