A framework for the development of anomaly detection systems
Intrusion detection systems typically fall into one of two categories: misuse detection and anomaly detection. In misuse detection systems, attacks are explicitly codified as signatures of some form. They are characterized by a low rate false positives but, to a greater or lesser extent, suffer from an inability to generalize from the signatures in their signature set. That is, new attacks, and even simple variations of attacks for which there are signatures, are often undetected.
Anomaly detection systems detect attacks by comparing current system behavior to some representation of normal system behavior. This representation may be a software or protocol specification but more often takes the form of learning models that have been trained on some set of features that describe activity in the monitored system -- examples include fields in audit records, web requests, and system call invocations. Since anomaly detection systems don't include attack descriptions they have the advantage of being able to detect novel attacks that are distinguishable from normal system behavior in some way.
libAnomaly was created to make research on anomaly detection systems easier by providing implementations of features common to most anomaly detectors:
- A collection of learning models that operate on common types (strings, integers)
- Implementations of some common data types (strings, integers, doubles, lists)
- Methods for aggregating anomaly scores from multiple models
- syscallsAnomaly: anomaly detection on system call arguments for Linux (Snare) and Solaris (BSM)
- webAnomaly: anomaly detection on HTTP access logs in the Common Log Format (CLF)
2003 (3 publications)
Bayesian event classification for intrusion detection Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003)
On the Detection of Anomalous System Call Arguments Proceedings of the European Symposium on Research in Computer Security (ESORICS 2003) BibTeX