Anomaly Detection with Diagnosis in Diversified Systems using Information Flow Graphs

  • Frédéric Majorczyk
  • Eric Totel
  • Ludovic Mé
  • Ayda Saïdane
Part of the IFIP – The International Federation for Information Processing book series (IFIPAICT, volume 278)

Abstract

Design diversity is a well-known method to ensure fault tolerance. Such a method has also been applied successfully in various projects to provide intrusion detection and tolerance. Two types of approaches have been investigated: the comparison of the outputs of the diversified services without any knowledge of the internals of the server (black box approach) or an intrusive observation of the activities that occur on the diversified servers (gray box approach). Previous work on black-box approaches have shown that some types of attacks cannot be detected. In this paper, we introduce a gray-box approach, on the one hand to increase the detection coverage, and on the other hand to add some diagnosis capability to the IDS. Our gray-box approach is based on the comparison of information flow graphs generated by the activities on the servers.

Key words

anomaly detection design diversity COTS diversity anomaly diagnosis graph similarity 

References

  1. 1.
    Bharathi, V.: N-version programming method of software fault tolerance: A critical review. In: National Conference on Nonlinear Systems and Dynamics (NCNSD). Kharagpur, India (2003)Google Scholar
  2. 2.
    Champin, P.A., Solnon, C.: Measuring the similarity of labeled graphs. In: in Proceedings of the 5th International Conference on Case-Based Reasoning (ICCBR 2003), pp. 80–95. Trondheim, Norway (2003)Google Scholar
  3. 3.
    d’Ausbourg, B.: Implementing secure dependencies over a network by designing a distributed security subsystem. In: Proceedings of the European Sysmposium on Research in Computer Security (ESORICS’94), pp. 249–266 (1994)Google Scholar
  4. 4.
    Gao, D., Reiter, M.K., Song, D.: Behavioral distance for intrusion detection. In: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), pp. 63–81. Seattle, WA (2005)Google Scholar
  5. 5.
    Gao, D., Reiter,M.K., Song, D.: Behavioral distance measurement using hidden markov models. In: Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID 2006), pp. 19–40. Hamburg, Germany (2006)Google Scholar
  6. 6.
    Just, J.E., Reynolds, J.C., Clough, L.A., Danforth, M., Levitt, K.N., Maglich, R., Rowe, J.: Learning unknown attacks - a start. In: A. Wespi, G. Vigna, L. Deri (eds.) Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Lecture Notes in Computer Science, vol. 2516, pp. 158–176. Zurich, Switzerland (2002)Google Scholar
  7. 7.
    Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: Proc. of the 20th National Information Systems Security Conference, pp. 353–365. Baltimore, MD (1997). URL http://www2.csl.sri.com/emerald/emerald-niss97.htmlGoogle Scholar
  8. 8.
    Totel, E., Majorczyk, F., M’e, L.: COTS diversity based intrusion detection and application to web servers. In: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), pp. 43–62. Seattle, WA (2005)Google Scholar
  9. 9.
    Veríssimo, P.E., Neves, N.F., Correia, M.P.: Intrusion-tolerant architectures: Concepts and design. In: Architecting Dependable Systems, Lecture Notes in Computer Science, vol. 2677. Sptringer-Verlag (2003)Google Scholar
  10. 10.
    Vigna, G., Robertson, W., Kher, V., Kemmerer, R.A.: A stateful intrusion detection system for world-wide web servers. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003), pp. 34–43. Las Vegas, Nevada (2003)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Frédéric Majorczyk
    • 1
  • Eric Totel
    • 1
  • Ludovic Mé
    • 1
  • Ayda Saïdane
    • 2
  1. 1.SupelecFrance
  2. 2.University of Trentovia Belenzani12 I-38100 Trento

Personalised recommendations