Chapter

Recent Advances in Intrusion Detection

Volume 3224 of the series Lecture Notes in Computer Science pp 238-257

Seurat: A Pointillist Approach to Anomaly Detection

  • Yinglian XieAffiliated withDepartment of Computer Science
  • , Hyang-Ah KimAffiliated withDepartment of Computer Science
  • , David R. O’HallaronAffiliated withDepartment of Computer ScienceDepartment of Electrical and Computer Engineering, Carnegie Mellon University
  • , Michael K. ReiterAffiliated withDepartment of Computer ScienceDepartment of Electrical and Computer Engineering, Carnegie Mellon University
  • , Hui ZhangAffiliated withDepartment of Computer ScienceDepartment of Electrical and Computer Engineering, Carnegie Mellon University

* Final gross prices may vary according to local VAT.

Get Access

Abstract

This paper proposes a new approach to detecting aggregated anomalous events by correlating host file system changes across space and time. Our approach is based on a key observation that many host state transitions of interest have both temporal and spatial locality. Abnormal state changes, which may be hard to detect in isolation, become apparent when they are correlated with similar changes on other hosts. Based on this intuition, we have developed a method to detect similar, coincident changes to the patterns of file updates that are shared across multiple hosts. We have implemented this approach in a prototype system called Seurat and demonstrated its effectiveness using a combination of real workstation cluster traces, simulated attacks, and a manually launched Linux worm.

Keywords

Anomaly detection Pointillism Correlation File updates Clustering