Skip to main content
Springer Nature Link
Log in

Cross-Domain Collaborative Anomaly Detection: So Far Yet So Close

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6961))

Included in the following conference series:

Abstract

Web applications have emerged as the primary means of access to vital and sensitive services such as online payment systems and databases storing personally identifiable information. Unfortunately, the need for ubiquitous and often anonymous access exposes web servers to adversaries. Indeed, network-borne zero-day attacks pose a critical and widespread threat to web servers that cannot be mitigated by the use of signature-based intrusion detection systems. To detect previously unseen attacks, we correlate web requests containing user submitted content across multiple web servers that is deemed abnormal by local Content Anomaly Detection (CAD) sensors. The cross-site information exchange happens in real-time leveraging privacy preserving data structures. We filter out high entropy and rarely seen legitimate requests reducing the amount of data and time an operator has to spend sifting through alerts. Our results come from a fully working prototype using eleven weeks of real-world data from production web servers. During that period, we identify at least three application-specific attacks not belonging to an existing class of web attacks as well as a wide-range of traditional classes of attacks including SQL injection, directory traversal, and code inclusion without using human specified knowledge or input.

This work is sponsored in part by US National Science Foundation (NSF) grant CNS-TC 0915291 and AFOSR MURI grant 107151AA “MURI: Autonomic Recovery of Enterprise-wide Systems After Attack or Failure with Forward Correction.” The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the U.S. Government.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Keromytis, A.D.: Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 427–442. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  2. Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Keromytis, A.D., Li, D.: A Cooperative Immunization System for an Untrusting Internet. In: IEEE International Conference on Networks (2003)

    Google Scholar 

  3. Bloom, B.H.: Space/time trade-offs in Hash Coding with Allowable Errors. Communications of the ACM 13(7), 422–426 (1970)

    Article  MATH  Google Scholar 

  4. Boggs, N., Hiremagalore, S., Stavrou, A., Stolfo, S.J.: Experimental results of cross-site exchange of web content anomaly detector alerts. In: IEEE Conference on Technologies for Homeland Security, HST 2010, pp. 8–14 (November 2010)

    Google Scholar 

  5. Cretu, G., Stavrou, A., Locasto, M., Stolfo, S., Keromytis, A.: Casting out demons: Sanitizing training data for anomaly sensors. In: IEEE Symposium on Security and Privacy, SP 2008, pp. 81–95 (May 2008)

    Google Scholar 

  6. Cretu-Ciocarlie, G., Stavrou, A., Locasto, M., Stolfo, S.: Adaptive Anomaly Detection via Self-Calibration and Dynamic Updating. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 41–60. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  7. Farroukh, A., Mukadam, N., Bassil, E., Elhajj, I.: Distributed and collaborative intrusion detection systems. In: IEEE Lebanon Communications Workshop, LCW 2008, pp. 41–45 (May 2008)

    Google Scholar 

  8. Gates, C.: Coordinated scan detection. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS 2009 (2009)

    Google Scholar 

  9. Kruegel, C., Toth, T.: Distributed Pattern for Intrusion Detection. In: Network and Distributed System Security, NDSS (2002)

    Google Scholar 

  10. Kruegel, C., Toth, T., Kerer, C.: Decentralized Event Correlation for Intrusion Detection. In: International Conference on Information Security and Cryptology (2002)

    Google Scholar 

  11. Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 339–350. ACM, New York (2006)

    Google Scholar 

  12. Lazarevic, A., Ozgur, A., Ertoz, L., Srivastava, J., Kumar, V.: A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the Third SIAM International Conference on Data Mining (2003)

    Google Scholar 

  13. Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions and reversals. Soviet Physics Doklady 10(8), 707–710 (1966); doklady Akademii Nauk SSSR, V163 No4 845-848 (1965)

    MATH  MathSciNet  Google Scholar 

  14. Lin, P., Lin, Y., Lee, T., Lai, Y.: Using string matching for deep packet inspection. Computer 41(4), 23–28 (2008)

    Article  Google Scholar 

  15. Locasto, M.E., Parekh, J.J., Keromytis, A.D., Stolfo, S.J.: Towards Collaborative Security and P2P Intrusion Detection. In: IEEE Information Assurance Workshop. West Point, NY (2005)

    Google Scholar 

  16. Norton, M., Roelker, D., Inc, D.R.S.: Snort 2.0: High performance multi-rule inspection engine

    Google Scholar 

  17. Paxson, V.: Bro: a system for detecting network intruders in real-time. In: SSYM 1998: Proceedings of the 7th Conference on USENIX Security Symposium, p. 3. USENIX Association, Berkeley (1998)

    Google Scholar 

  18. Porras, P., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: National Information Systems Security Conference (1997)

    Google Scholar 

  19. Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: CCS 2003: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 262–271. ACM, New York (2003)

    Google Scholar 

  20. Sommer, R., Paxson, V.: Outside the closed world: On using machine learning for network intrusion detection. In: IEEE Symposium on Security and Privacy, pp. 305–316 (2010)

    Google Scholar 

  21. Song, Y., Keromytis, A.D., Stolfo, S.J.: Spectrogram: A mixture-of-markov-chains model for anomaly detection in web traffic. In: NDSS 2009: Proceedings of the 16th Annual Network and Distributed System Security Symposium (2009)

    Google Scholar 

  22. Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM Conference on Computer and Communications Security CCS 2007, pp. 541–551. ACM, New York (2007), http://doi.acm.org/10.1145/1315245.1315312

    Google Scholar 

  23. Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M.: GrIDS - A Graph Based Intrusion Detection System for Large Networks. In: National Information Computer Security Conference, Baltimore, MD (1996)

    Google Scholar 

  24. Stavrou, A., Cretu-Ciocarlie, G.F., Locasto, M.E., Stolfo, S.J.: Keep your friends close: the necessity for updating an anomaly sensor with legitimate environment changes. In: AISec 2009: Proceedings of the 2nd ACM Workshop on Security and Artificial Intelligence, pp. 39–46. ACM, New York (2009)

    Google Scholar 

  25. Taylor, C., Gates, C.: Challenging the Anomaly Detection Paradigm: A Provocative Discussion. In: Proceedings of the 15th New Security Paradigms Workshop (NSPW), pp. xx–yy (September 2006)

    Google Scholar 

  26. Tian, D., Changzhen, H., Qi, Y., Jianqiao, W.: Hierarchical distributed alert correlation model. In: IAS 2009: Proceedings of the 2009 Fifth International Conference on Information Assurance and Security, pp. 765–768. IEEE Computer Society, Washington, DC, USA (2009)

    Chapter  Google Scholar 

  27. Ullrich, J.: DShield home page (2005), http://www.dshield.org

  28. Vasiliadis, G., Polychronakis, M., Antonatos, S., Markatos, E., Ioannidis, S.: Regular expression matching on graphics hardware for intrusion detection. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 265–283. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  29. Vigna, G., Gwalani, S., Srinivasan, K., Belding-Royer, E.M., Kemmerer, R.A.: An Intrusion Detection Tool for AODV-based Ad hoc Wireless Networks. In: Computer Security Applications Conference (2004)

    Google Scholar 

  30. Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In: Symposium on Recent Advances in Intrusion Detection, Hamburg, Germany (2006)

    Google Scholar 

  31. Websense: LizaMoon, http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx

  32. Xu, D., Ning, P.: Privacy-preserving alert correlation: a concept hierarchy based approach. In: 21st Annual Computer Security Applications Conference, pp. 10–546 (December 2005)

    Google Scholar 

  33. Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: NDSS (2004)

    Google Scholar 

  34. Zaman, S., Karray, F.: Collaborative architecture for distributed intrusion detection system. In: IEEE Symposium on Computational Intelligence for Security and Defense Applications, CISDA 2009, pp. 1–7 (July 2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Columbia University, USA

    Nathaniel Boggs & Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, USA

    Sharath Hiremagalore & Angelos Stavrou

Authors
  1. Nathaniel Boggs
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sharath Hiremagalore
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos Stavrou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Robin Sommer Davide Balzarotti Gregor Maier

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Boggs, N., Hiremagalore, S., Stavrou, A., Stolfo, S.J. (2011). Cross-Domain Collaborative Anomaly Detection: So Far Yet So Close. In: Sommer, R., Balzarotti, D., Maier, G. (eds) Recent Advances in Intrusion Detection. RAID 2011. Lecture Notes in Computer Science, vol 6961. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23644-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23644-0_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23643-3

  • Online ISBN: 978-3-642-23644-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics