Cross-layer anomaly correlation and response selection

A cyber attack modifies the behavior of its target application or system such that it is outside of its intended or desired range of behavior. The challenge is that one cannot predict the attack mechanism that will cause the modified behavior or when and how the target´s behavior will diverge. Thus, if one restricts one´s sensors to a particular aspect of the system or looks for specific malicious behavior, one is likely to miss the attack. This paper describes an approach for simultaneously examining multiple network and host abstraction layers to discover anomalous behavior and then correlating anomalies to determine whether an attack is taking place and, when applicable, select an automatic response. We have used this approach to implement host-based and network-based intrusion detection systems, HIDAR and NIDAR, for enterprise networks, as well as sister systems for tactical networks. We discuss both the potential performance of the approach and our real-world experiences. In this venue, we focus on our NIDAR experiences in government and corporate networks under both experiments and live operation.