Abstract
Many computer protection tools incorporate learning techniques that build mathematical models to capture the characteristics of system’s activity and then check whether live system’s activity fits the learned models. This approach, referred to as anomaly detection, has enjoyed immense popularity because of its effectiveness at recognizing unknown attacks (under the assumption that attacks cause glitches in the protected system). Typically, instead of building a single complex model, smaller, partial models are constructed, each capturing different features of the monitored activity. Such multimodel paradigm raises the non-trivial issue of combining each partial model to decide whether or not the activity contains signs of attacks. Various mechanisms can be chosen, ranging from a simple weighted average to Bayesian networks, or more sophisticated strategies. In this paper we show how different aggregation functions can influence the detection accuracy. To mitigate these issues we propose a radically different approach: rather than treating the aggregation as a calculation, we formulate it as a decision problem, implemented through cooperative negotiation between autonomous agents. We validated the approach on a publicly available, realistic dataset, and show that it enhances the detection accuracy with respect to a system that uses elementary aggregation mechanisms.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Carr, J.: Inside Cyber Warfare: Mapping the Cyber Underworld. O’Reilly Media, Inc., Sebastopol (2009)
The SANS Institute: Zero-day vulnerability trends (September 2009), http://www.sans.org/top-cyber-security-risks/zero-day.php
Fishwick, P.A.: An integrated approach to system modeling using a synthesis of artificial intelligence, software engineering and simulation methodologies. ACM Trans. Model. Comput. Simul. 2(4), 307–330 (1992)
Fishwick, P.A., Zeigler, B.P.: A multimodel methodology for qualitative model engineering. ACM Trans. Model. Comput. Simul. 2(1), 52–81 (1992)
Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)
Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 3(4), 227–261 (2000)
Kruegel, C., Toth, T., Kirda, E.: Service-Specific Anomaly Detection for Network Intrusion Detection. In: Proceedings of the Symposium on Applied Computing (SAC 2002), Spain (March 2002)
Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Proceedings of the 2003 European Symp. on Research in Computer Security, Gjøvik, Norway (October 2003)
Kruegel, C., Robertson, W., Vigna, G.: A Multi-model Approach to the Detection of Web-based Attacks. Journal of Computer Networks 48(5), 717–738 (2005)
Mutz, D., Valeur, F., Kruegel, C., Vigna, G.: Anomalous System Call Detection. ACM Transactions on Information and System Security 9(1), 61–93 (2006)
Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Transactions on Dependable and Secure Computing 99(PrePrints) (2008)
Criscione, C., Maggi, F., Salvaneschi, G., Zanero, S.: Integrated detection of attacks against browsers, web applications and databases. In: European Conference on Computer Network Defence - EC2ND 2009 (2009)
Helmer, G., Wong, J.S.K., Honavar, V.G., Miller, L., Wang, Y.: Lightweight agents for intrusion detection. J. Syst. Softw. 67(2), 109–122 (2003)
Jennings, N.R.: An agent-based approach for building complex software systems. Commun. ACM 44(4), 35–41 (2001)
Spafford, E., Zamboni, D.: Intrusion detection using autonomous agents. Computer Networks 34(4), 547–570 (2000)
Ghosh, A., Sen, S.: Agent-based distributed intrusion alert system. In: Sen, A., Das, N., Das, S.K., Sinha, B.P. (eds.) IWDC 2004. LNCS, vol. 3326, pp. 240–251. Springer, Heidelberg (2004)
Dasgupta, D., Gonzalez, F., Yallapu, K., Gomez, J., Yarramsettii, R.: CIDS: An agent-based intrusion detection system. Computers & Security 24(5), 387–398 (2005)
Gowadia, V., Farkas, C., Valtorta, M.: PAID: A probabilistic agent-based intrusion detection system. Computers & Security 24(7), 529–545 (2005)
Rehak, M., Pechoucek, M., Celeda, P., Novotny, J., Minarik, P.: Camnep: agent-based network intrusion detection system. In: AAMAS 2008: Proceedings of the 7th International Joint Conference on Autonomous Agents and Multiagent Systems, Richland, SC, International Foundation for Autonomous Agents and Multiagent Systems, pp. 133–136 (2008)
Allan, R.J.: Survey of agent based modelling and simulation tools. Technical report, STFC Daresbury Laboratory, Daresbury, Warrington WA4 4AD (May 2010)
Amigoni, F., Basilico, F., Basilico, N., Zanero, S.: Integrating partial models of network normality via cooperative negotiation: An approach to development of multiagent intrusion detection systems. In: WI-IAT 2008, Washington, DC, USA, pp. 531–537. IEEE Computer Society, Los Alamitos (2008)
Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Comput. Networks 34(4), 579–595 (2000)
Song, Y., Stolfo, S., Keromytis, A.: Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic. In: Proc. of the 16th Annual Network and Distributed System Security Symposium, NDSS (2009)
Kittler, J., Hatef, M., Duin, R.P., Matas, J.: On combining classifiers. IEEE Transactions on Pattern Analysis and Machine Intelligence 20, 226–239 (1998)
Amigoni, F., Gatti, N.: A formal framework for connective stability of highly decentralized cooperative negotiations. Autonomous Agents and Multi-Agent Systems 15(3), 253–279 (2007)
Robert Hansen (RSnake): XSS (Cross Site Scripting) Cheat Sheet (June 2009), http://ha.ckers.org/xss.html
Robert Hansen (RSnake): SQL Injection cheat sheet (June 2009), http://ha.ckers.org/sqlinjection/
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Computing Surveys (CSUR) 41(3), 15 (2009)
Cretu-Ciocarlie, G.F., Stavrou, A., Locasto, M.E., Stolfo, S.J.: Adaptive anomaly detection via self-calibration and dynamic updating. In: RAID 2009: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, pp. 41–60. Springer, Heidelberg (2009)
Maggi, F., Robertson, W., Kruegel, C., Vigna, G.: Protecting a moving target: Addressing web application concept drift. In: RAID 2009: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, pp. 21–40. Springer, Heidelberg (2009)
Rehák, M., Staab, E., Fusenig, V., Pěchouček, M., Grill, M., Stiborek, J., Bartoš, K., Engel, T.: Runtime monitoring and dynamic reconfiguration for intrusion detection systems. In: RAID 2009: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, pp. 61–80. Springer, Heidelberg (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Volpatto, A., Maggi, F., Zanero, S. (2010). Effective Multimodel Anomaly Detection Using Cooperative Negotiation. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds) Decision and Game Theory for Security. GameSec 2010. Lecture Notes in Computer Science, vol 6442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17197-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-17197-0_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17196-3
Online ISBN: 978-3-642-17197-0
eBook Packages: Computer ScienceComputer Science (R0)