Seurat: A Pointillist Approach to Anomaly Detection

  • Yinglian Xie
  • Hyang-Ah Kim
  • David R. O’Hallaron
  • Michael K. Reiter
  • Hui Zhang
Conference paper

DOI: 10.1007/978-3-540-30143-1_13

Part of the Lecture Notes in Computer Science book series (LNCS, volume 3224)
Cite this paper as:
Xie Y., Kim HA., O’Hallaron D.R., Reiter M.K., Zhang H. (2004) Seurat: A Pointillist Approach to Anomaly Detection. In: Jonsson E., Valdes A., Almgren M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg

Abstract

This paper proposes a new approach to detecting aggregated anomalous events by correlating host file system changes across space and time. Our approach is based on a key observation that many host state transitions of interest have both temporal and spatial locality. Abnormal state changes, which may be hard to detect in isolation, become apparent when they are correlated with similar changes on other hosts. Based on this intuition, we have developed a method to detect similar, coincident changes to the patterns of file updates that are shared across multiple hosts. We have implemented this approach in a prototype system called Seurat and demonstrated its effectiveness using a combination of real workstation cluster traces, simulated attacks, and a manually launched Linux worm.

Keywords

Anomaly detection Pointillism Correlation File updates Clustering 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Yinglian Xie
    • 1
  • Hyang-Ah Kim
    • 1
  • David R. O’Hallaron
    • 1
    • 2
  • Michael K. Reiter
    • 1
    • 2
  • Hui Zhang
    • 1
    • 2
  1. 1.Department of Computer Science 
  2. 2.Department of Electrical and Computer EngineeringCarnegie Mellon University 

Personalised recommendations