Title :
Meta IDS environments: an event message anomaly detection approach
Author :
Tolle, Jens ; Jahnke, Marko ; Bussmann, Michael ; Henkel, Sven
Author_Institution :
Dept. of Comput. Networks, Res. Establ. for Appl. Sci., Wachtberg, Germany
Abstract :
This paper presents an anomaly detection approach for application in Meta IDS environments, where locally generated event messages from several domains are centrally processed. The basic approach has been successfully used for detection of abnormal traffic structures in computer networks. It creates directed graphs from address specifications contained within event messages and generates clusterings of the graphs. Large differences between subsequent clusterings indicate anomalies. This anomaly detection approach is part of an intrusion warning system (IWS) for dynamic coalition environments. It is designed to indicate suspicious actions and tendencies and to provide decision support on how to react on anomalies. Real-world data, mixed with data from a simulated Internet worm, is used to analyze the system. The results prove the applicability of our approach.
Keywords :
Internet; computer networks; directed graphs; invasive software; message passing; pattern clustering; telecommunication security; telecommunication traffic; Internet worm; abnormal traffic structure detection; address specifications; computer networks; decision support; directed graphs; dynamic coalition environments; event message anomaly detection; graph clusterings; intrusion warning system; meta IDS environments; suspicious actions; Alarm systems; Analytical models; Application software; Computer networks; Data security; Event detection; Internet; Intrusion detection; Protocols; Telecommunication traffic; Anomaly Detection; Event Messages; Graph Clustering; Meta IDS;
Conference_Titel :
Information Assurance, 2005. Proceedings. Third IEEE International Workshop on
Print_ISBN :
0-7695-2317-X
DOI :
10.1109/IWIA.2005.13
