• DocumentCode
    2840306
  • Title

    Methods for cluster-based incident detection

  • Author

    Carrier, Brian D. ; Matheny, Blake

  • Author_Institution
    Center for Educ. & Res. in Inf. Assurance & Security, Purdue Univ., West Lafayette, IN, USA
  • fYear
    2004
  • fDate
    8-9 April 2004
  • Firstpage
    71
  • Lastpage
    78
  • Abstract
    Here, we introduce a statistics-based anomaly detection technique for identifying systems that could have been compromised and had trojan executables installed. Attackers frequently install rootkits and other trojan files onto hosts they compromise so they can easily gain access in the future. Many detection systems use signatures to identify unauthorized files, but signatures for all platforms and patch levels do not exist in large-scale environments, such as government and university networks. Our anomaly detection system organizes hosts into clusters based on their files and uses statistics to identify those that should be examined in more detail.
  • Keywords
    authorisation; invasive software; message authentication; statistical analysis; workstation clusters; anomaly detection system; cluster-based incident detection method; digital signature; rootkits; statistics-based anomaly detection technique; trojan file; Databases; Fingerprint recognition; Government; Information security; Internet; Large-scale systems; Network servers; Operating systems; Performance gain; Statistics;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Information Assurance Workshop, 2004. Proceedings. Second IEEE International
  • Print_ISBN
    0-7695-2117-7
  • Type

    conf

  • DOI
    10.1109/IWIA.2004.1288039
  • Filename
    1288039