Discovering Host Anomalies in Multi-source Information

Author

Gao Cuixia ; Li Zhitang

Author_Institution

Sch. of Comput. Sci. & Technol., Huazhong Univ. of Sci. & Technol., Wuhan, China

Volume

2

fYear

2009

fDate

18-20 Nov. 2009

Firstpage

358

Lastpage

361

Abstract

Anomaly detection means developing a reference profile of normal activity and comparing the ongoing activity against it. Anomaly detection is very promising because of its potential to detect unseen types of attacks. In this paper we present our preliminary research on host anomaly detection by fusing multi-source security information. We selected five types of information which may be good indicators of host anomalies. They are RAM usage, host network connections, usage of bandwidth, the alert of antivirus and the alert of our own project SATA. In the information fusion framework, the D-S evidence theory was used to fuse the dynamic host-related information. Some improvements are also discussed. We also use real-world environment to demonstrate the method´s capability for detecting host anomaly. We show that our prototype can successfully detect most of anomalies caused by DOS, scanning and other attacks.

Keywords

inference mechanisms; random-access storage; security of data; D-S evidence theory; RAM usage; antivirus; dynamic host-related information; host anomaly detection; information fusion framework; multisource information; multisource security information; project SATA; reference profile; Computer science; Computer security; Detectors; Event detection; Expert systems; Fuses; Information analysis; Information security; Prototypes; Telecommunication traffic; D-S theory; anomaly detection; muiti-source information;

fLanguage

English

Publisher

ieee

Conference_Titel

Multimedia Information Networking and Security, 2009. MINES '09. International Conference on

Conference_Location

Hubei

Print_ISBN

978-0-7695-3843-3

Electronic_ISBN

978-1-4244-5068-8

Type

conf

DOI

10.1109/MINES.2009.150

Filename

5368998