Seurat: A Pointillist Approach to Anomaly Detection

  • Yinglian Xie
  • Hyang-Ah Kim
  • David R. O’Hallaron
  • Michael K. Reiter
  • Hui Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3224)

Abstract

This paper proposes a new approach to detecting aggregated anomalous events by correlating host file system changes across space and time. Our approach is based on a key observation that many host state transitions of interest have both temporal and spatial locality. Abnormal state changes, which may be hard to detect in isolation, become apparent when they are correlated with similar changes on other hosts. Based on this intuition, we have developed a method to detect similar, coincident changes to the patterns of file updates that are shared across multiple hosts. We have implemented this approach in a prototype system called Seurat and demonstrated its effectiveness using a combination of real workstation cluster traces, simulated attacks, and a manually launched Linux worm.

Keywords

Anomaly detection Pointillism Correlation File updates Clustering 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proceedings of the 20th National Information Systems Security Conference (1997)Google Scholar
  2. 2.
    Abad, C., Taylor, J., Sengul, C., Zhou, Y., Yurcik, W., Rowe, K.: Log Correlation for Intrusion Detection: A Proof of Concept. In: Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, Nevada, USA (2003)Google Scholar
  3. 3.
    Kruegel, C., Toth, T., Kerer, C.: Decentralized Event Correlation for Intrusion Detection. In: International Conference on Information Security and Cryptology, ICISC (2001)Google Scholar
  4. 4.
    Tripwire, Inc.: Tripwire, http://www.tripwire.com
  5. 5.
    CERT Coordination Center: Overview of Attack Trends, http://www.cert.org/archive/pdf/attack_trends.pdf (2002)
  6. 6.
    Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Security and Privacy 1, 33–39 (2003)Google Scholar
  7. 7.
    Pennington, A., Strunk, J., Griffin, J., Soules, C., Goodson, G., Ganger, G.: Storage-based intrusion detection: Watching storage activity for suspicious behavior. In: Proceedings of 12th USENIX Security Symposium, Washington, DC (2003)Google Scholar
  8. 8.
    Lehti, R., Virolainen, P.: AIDE - Advanced Intrusion Detection Environment, http://www.cs.tut.fi/~rammer/aide.html
  9. 9.
    Berry, M.W., Drmac, Z., Jessup, E.R.: Matrices, vector spaces, and information retrieval. SIAM Review 41 (1999)Google Scholar
  10. 10.
    Kamber, M.: Data mining: Concepts and techniques. Morgan Kaufmann Publishers, San Francisco (2000)Google Scholar
  11. 11.
    Zhang, J., Tsui, F., Wagner, M.M., Hogan, W.R.: Detection of Outbreaks from Time Series Data Using Wavelet Transform. In: AMIA Fall Symp., pp. 748–752. Omni Press CD (2003)Google Scholar
  12. 12.
    Jolliffe, I.T.: Principle component analysis. Springer, New York (1986)MATHGoogle Scholar
  13. 13.
    Forgy, E.: Cluster analysis of multivariante data: Efficiency vs. Interpretability of classifications. Biometrics 21 (1965)Google Scholar
  14. 14.
    Gersho, A., Gray, R.: Vector Quantization and Signal Compresssion. Kluwer Academic Publishers, Dordrecht (1992)Google Scholar
  15. 15.
    Moore, A.: K-means and Hierarchical Clustering, http://www.cs.cmu.edu/~awm/tutorials/kmeans09.pdf (available upon request) (2001)
  16. 16.
    Symantec: Symantec Security Response, http://securityresponse.symantec.com
  17. 17.
    F-Secure: F-Secure Security Information Center, http://www.f-secure.com/virus-info
  18. 18.
    Whitehats, Inc.: Whitehats Network Security Resource,http://www.whitehats.com
  19. 19.
    PacketStorm: Packet Storm, http://www.packetstormsecurity.org
  20. 20.
    SANS Institute: Lion Worm, http://www.sans.org/y2k/lion.htm (2001)
  21. 21.
    Wagner, D., Dean, D.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of ACMConference on Computer and Communications Security, CCS (2002)Google Scholar
  22. 22.
    Trusted Computing Platform Alliance: Trusted Computing Platform Alliance, http://www.trustedcomputing.org
  23. 23.
    Schneier, B., Kelsey, J.: Cryptographic Support for Secure Logs on Untrusted Machines. In: The Seventh USENIX Security Symposium (1998)Google Scholar
  24. 24.
    Balasubramaniyan, J.S., Garcia-Fernandez, J.O., Isacoff, D., Spafford, E., Zamboni, D.: An architecture for intrusion detection using autonomous agents. In: Proceedings of the 14th IEEE Computer Security Applications Conference (1998)Google Scholar
  25. 25.
    Xie, Y., O’Hallaron, D.R., Reiter, M.K.: A Secure Distributed Search System. In: Proceedings of the 11th IEEE International Symposium on High Performance Distributed Computing (2002)Google Scholar
  26. 26.
    Planetlab: PlanetLab, http://www.planet-lab.org
  27. 27.
    Samhain Labs: Samhain, http://la-samhna.de/samhain
  28. 28.
  29. 29.
    Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Rowe, J., Staniford- Chen, S., Yip, R., Zerkle, D.: The Design of GrIDS: A Graph-Based Intrusion Detection System. Technical Report CSE-99-2, U.C. Davis Computer Science Department (1999)Google Scholar
  30. 30.
    White, G., Fisch, E., Pooch, U.: Cooperating security managers: A peer-based intrusion detection system. IEEE Network 10 (1994)Google Scholar
  31. 31.
    Snapp, S.R., Smaha, S.E., Teal, D.M., Grance, T.: The DIDS (distributed intrusion detection system) prototype. In: The Summer USENIX Conference, San Antonio, Texas, USENIX Association, pp. 227–233 (1992)Google Scholar
  32. 32.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  33. 33.
    Andersson, D., Fong, M., Valdes, A.: Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis. Presented at IEEE Information Assurance Workshop (2002)Google Scholar
  34. 34.
    Ning, P., Cui, Y., Reeves, D.S.: Analyzing Intensive Intrusion Alerts Via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, Springer, Heidelberg (2002)CrossRefGoogle Scholar
  35. 35.
    Wang, H.J., Hu, Y.-C., Yuan, C., Zhang, Z., Wang, Y.-M.: Friends troubleshooting network: Towards privacy-preserving, automatic troubleshooting. In: Voelker, G.M., Shenker, S. (eds.) IPTPS 2004. LNCS, vol. 3279, pp. 184–194. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Yinglian Xie
    • 1
  • Hyang-Ah Kim
    • 1
  • David R. O’Hallaron
    • 1
    • 2
  • Michael K. Reiter
    • 1
    • 2
  • Hui Zhang
    • 1
    • 2
  1. 1.Department of Computer Science 
  2. 2.Department of Electrical and Computer EngineeringCarnegie Mellon University 

Personalised recommendations