Abstract
We discuss the combination of two anomaly detection models, the Linux kernel module pH and cfengine, in order to create a multi-scaled approach to computer anomaly detection with automated response. By examining the time-average data from pH, we find the two systems to be conceptually complementary and to have compatible data models. Based on these findings, we build a simple prototype system and comment on how the same model could be extended to include other anomaly detection mechanisms.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35674-7_66
Chapter PDF
Similar content being viewed by others
References
M. Burgess. A site configuration engine. Computing systems (MIT Press: Cambridge MA), 8: 309, 1995.
M. Burgess. Automated system administration with feedback regulation. Software practice and experience, 28: 1519, 1998.
M. Burgess. Computer immunology. Proceedings of the Twelth Systems Administration Conference (LISA XII) (USENIX Association: Berkeley, CA), page 283, 1998.
M. Burgess. On the theory of system administration. Submitted to J. ACM., 2000.
M. Burgess. Two dimensional time-series for anomaly detection and regulation in adaptive systems. 13th International Workshop on Distributed Systems: Operations and Management (DSOM 2002), page 293, 2001.
M. Burgess, H. Haugerud, T. Reitan, and S. Straumsnes. Measuring host normality. ACM Transactions on Computing Systems, 20: 125–160, 2001.
J. Arvidsson et al. Terena’s incident object description and exchange format requirements. RFC3067, 2001.
M.J. Ranum et al. Implementing a generalized tool for network monitoring. Proceedings of the Eleventh Systems Administration Conference (LISA XI) (USENIX Association: Berkeley, CA), page 1, 1997.
J.L. Hellerstein, F. Zhang, and P. Shahabuddin. An approach to predictive detection for service management. Proceedings of IFIP/IEEE INM VI, page 309, 1999.
S. A. Hofmeyr, A. Somayaji, and S.Forrest. Intrusion detection using sequences of system calls. Journal of Computer Security, 6: 151–180, 1998.
P. Hoogenboom and J. Lepreau. Computer system performance problem detection using time series models. Proceedings of the USENIX Technical Conference, (USENIX Association: Berkeley, CA), page 15, 1993.
P.D’haeseleer, Forrest, and P. Helman. An immunological approach to change detection: algorithms, analysis, and implications. In Proceedings of the 1996 IEEE Symposium on Computer Security an Privacy (1996).
Snort. Intrusion detection system.http://www.snort.org.
A. Somayaji and S. Forrest. Automated reponse using system-call delays. Proceedings of the 9th USENIX Security Symposium, page 185, 2000.
A. Somayaji and S. Forrest. Automated response using system-call delays. Proceedings of the 9th USENIX Security Symposium (USENIX Association; Berkeley, CA), page 185, 2000.
A. Somayaji, S. Hofmeyr, and S. Forrest. Principles of a computer immune system. New Security Paradigms Workshop, ACM, September 1997: 75–82.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Begnum, K.M., Burgess, M. (2003). A Scaled, Immunological Approach to Anomaly Countermeasures. In: Goldszmidt, G., Schönwälder, J. (eds) Integrated Network Management VIII. IM 2003. IFIP — The International Federation for Information Processing, vol 118. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35674-7_3
Download citation
DOI: https://doi.org/10.1007/978-0-387-35674-7_3
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-5521-3
Online ISBN: 978-0-387-35674-7
eBook Packages: Springer Book Archive