Towards the scalable implementation of a user level anomaly detection system

Traditional intrusion detection systems can be broadly classified as misuse and anomaly detectors. Misuse detectors attempt detection by matching the current system/user activity against known signatures and patterns. As opposed to this, anomaly detection works by developing a reference graph and comparing the ongoing activity against it. Any significant deviation is flagged as an intrusion. Anomaly detection is more promising because of its potential to detect unseen types of attacks. However, both techniques have conventionally relied on audit trails sampled deep inside the system via probes and the sheer size of the data allows only after-the-fact and off line detection. In recent past, there have been efforts to capture the semantics of system activity for more rapid detection and this can typically be done at levels closer to the user. In our earlier works related to this effort, we presented a scheme and a reasoning framework to detect intrusions based on the encapsulated user intent. This paper addresses the scalability and implementation aspects of the system by introducing concepts such as workspaces and meta-operations. Although this security system is a general anomaly detection system, it is amenable to operator fault recovery. While encryption provides secure communication channels, it leaves the end points exposed. Our security system has the additional capability of handling insider attacks relevant in this context.