A two-stage aggregation/thresholding scheme for multi-model anomaly-based approaches

This paper deals with anomaly score aggregation and thresholding in multi-model anomaly-based approaches which require multiple detection models and profiles in order to characterize the different aspects of normal activities. Most works focus on profile/model definition while critical issues related to anomaly measuring, aggregating and thresholding have not received similar attention. In this paper, we in particular address the issue of anomaly scoring and aggregating which is a recurring problem in multi-model anomaly-based approaches. We propose a two stage aggregation/thresholding scheme particularly suitable for multi-model anomaly-based approaches. The basic idea of our scheme is the fact that anomalous behaviors induce either intramodel anomalies or inter-model ones. Our scheme is designed for real-time detection of both intra-model and inter-model anomalies. More precisely, we propose local thresholding in order to detect intra-model anomalies and use a Bayesian network in order to, on one hand, extract inter-model regularities and serve, on the other hand, as an aggregating function for computing the overall anomaly score associated with each analyzed audit event. Our experimental studies, carried out on recent and real http traffic, show for instance that most Web-based attacks induce only intra-model anomalies and can be effectively detected in real-time. Moreover, this scheme significantly improves the detection rate of Web-based attacks involving inter-model anomalies.