Behavior profiling for robust anomaly detection

Internet attacks are evolving using evasion techniques such as polymorphism and stealth scanning. Conventional detection systems using signature-based and/or rule-based anomaly detection techniques no longer suffice. It is difficult to predict what form the next malware attack will take and these pose a great challenge to the design of a robust intrusion detection system. We focus on the anomalous behavioral characteristics between attack and victim when they undergo sequences of compromising actions and that are inherent to the classes of vulnerability-exploit attacks. A new approach, Gestalt, is proposed to statefully capture and monitor activities between hosts and progressively assess possible network anomalies by multilevel behavior tracking, cross-level triggering and correlation, and a probabilistic inference model is proposed for intrusion assessment and detection. Such multilevel design provides a collective perspective to reveal more anomalies than individual levels. We show that Gestalt is robust and effective in detecting polymorphic, stealthy variants of known attacks.