DocumentCode
2840306
Title
Methods for cluster-based incident detection
Author
Carrier, Brian D. ; Matheny, Blake
Author_Institution
Center for Educ. & Res. in Inf. Assurance & Security, Purdue Univ., West Lafayette, IN, USA
fYear
2004
fDate
8-9 April 2004
Firstpage
71
Lastpage
78
Abstract
Here, we introduce a statistics-based anomaly detection technique for identifying systems that could have been compromised and had trojan executables installed. Attackers frequently install rootkits and other trojan files onto hosts they compromise so they can easily gain access in the future. Many detection systems use signatures to identify unauthorized files, but signatures for all platforms and patch levels do not exist in large-scale environments, such as government and university networks. Our anomaly detection system organizes hosts into clusters based on their files and uses statistics to identify those that should be examined in more detail.
Keywords
authorisation; invasive software; message authentication; statistical analysis; workstation clusters; anomaly detection system; cluster-based incident detection method; digital signature; rootkits; statistics-based anomaly detection technique; trojan file; Databases; Fingerprint recognition; Government; Information security; Internet; Large-scale systems; Network servers; Operating systems; Performance gain; Statistics;
fLanguage
English
Publisher
ieee
Conference_Titel
Information Assurance Workshop, 2004. Proceedings. Second IEEE International
Print_ISBN
0-7695-2117-7
Type
conf
DOI
10.1109/IWIA.2004.1288039
Filename
1288039
Link To Document