skip to main content
10.1145/1654988.1655000acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Keep your friends close: the necessity for updating an anomaly sensor with legitimate environment changes

Published: 09 November 2009 Publication History

Abstract

Large-scale distributed systems have dense, complex code-bases that are assumed to perform multiple and inter-dependent tasks while user interaction is present. The way users interact with systems can differ and evolve over time, as can the systems themselves. Consequently, anomaly detection (AD) sensors must be able to cope with updates to their operating environment. Otherwise, the sensor may incorrectly classify new patterns as malicious (a false positive) or assert that old or outdated patterns are normal (a false negative). This problem of "model drift" is an almost universally acknowledged hazard for anomaly sensors. However, relatively little work has been done to understand the process of identifying and seamlessly updating an operational network AD sensor with legal modifications like changes to a file system or back-end database.
In this paper, we highlight some of the challenges of keeping an anomaly sensor updated, an important step toward helping anomaly sensors become a practical intrusion detection tool for real-world network and host environments. Our goal is to eliminate needless false positives arising from the gradual de-synchronization of the sensor from the environment it is monitoring. To that end, we investigate the feasibility of automatically deriving and applying a "data" or "model patch" that describes the changes necessary to update a "reasonable" AD behavioral model (i.e., a model whose structure follows the core design principles of existing anomaly models). We propose an update procedure that is holistic in nature: specifically, we present preliminary results on how to update a sensor that monitors the request and response messages for non-dynamic HTTP requests and software patches. In addition, we propose extensions for dynamic, database-driven requests and responses.

References

[1]
Apache mod_rewrite Buffer Overflow Vulnerability. http://www.securityfocus.com/archive/1/archive/1/441487/100/0/threaded.
[2]
G. F. Cretu, A. Stavrou, M. E. Locasto, A. D. Keromytis, and S. J. Stolfo. Casting Out Demons: Sanitizing Training Data for Anomaly Sensors. In Proceedings of the IEEE Symposium on Security and Privacy, 2008.
[3]
G. F. Cretu-Ciocarlie, A. Stavrou, M. E. Locasto, and S. J. Stolfo. Adaptive Anomaly Detection via Self-Calibration and Dynamic Updating. In Proceeding of the 12th International Symposium On Recent Advances In Intrusion Detection, RAID, 2009.
[4]
CVS Heap Overflow Vulnerability. http://www.us-cert.gov/cas/techalerts/TA04-147A.html.
[5]
D. Gao, M. K. Reiter, and D. Song. Behavioral Distance for Intrusion Detection. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 63--81, September 2005.
[6]
ghttpd Log() Function Buffer Overflow Vulnerability. http://www.securityfocus.com/bid/5960.
[7]
Known Vulnerabilities in Mozilla Products. http://www.mozilla.org/projects/security/known-vulnerabilities.
[8]
T. Lane and C. E. Broadley. Approaches to online learning and concept drift for user identification in computer security. In Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining (KDD), 1998.
[9]
P. Li, D. Gao, and M. Reiter. Automatically Adapting a Trained Anomaly Detector to Software Patches. In Proceeding of the 12th International Symposium On Recent Advances In Intrusion Detection, RAID, 2009.
[10]
Local DoS Attack in Linux Kernel. http://www.sfu.ca/~siegert/linux-security/msg00047.html.
[11]
F. Maggi, W. Robertson, C. Kruegel, and G. Vigna. Protecting a Moving Target: Addressing Web Application Concept Drift. In Proceeding of the 12th International Symposium On Recent Advances In Intrusion Detection, RAID, 2009.
[12]
R. McGovern. Inotify-tools. http://inotify-tools.sourceforge.net/.
[13]
Multiple Vulnerabilities in libpng. http://www.us-cert.gov/cas/techalerts/TA04-217A.html.
[14]
MySQL 5.0 Reference Manual: Using Triggers. http://dev.mysql.com/doc/refman/5.0/en/triggers.html.
[15]
Null httpd Remote Heap Overflow Vulnerability. http://www.securityfocus.com/bid/5774.
[16]
N. Provos. Improving Host Security with System Call Policies. In Proceedings of the 12th USENIX Security Symposium, pages 207--225, August 2003.
[17]
Remote Code Injection Vulnerability in fetchmail. http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt.
[18]
Samba Security Releases. http://samba.org/samba/samba/history/security.html.
[19]
S. J. Stolfo, F. Apap, E. Eskin, K. Heller, S. Hershkop, A. Honig, and K. Svore. A Comparative Evaluation of Two Algorithms for Windows Registry Anomaly Detection. Journal of Computer Security, 13(4), 2005.
[20]
STunnel Client Negotiation Protocol Format String Vulnerability. http://www.securityfocus.com/bid/3748.
[21]
K. Wang, G. Cretu, and S. J. Stolfo. Anomalous Payload-based Worm Detection and Signature Generation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 227--246, September 2005.
[22]
K. Wang, J. J. Parekh, and S. J. Stolfo. Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID), September 2006.

Cited By

View all
  • (2022)Anomaly Detection as a ServiceundefinedOnline publication date: 7-Mar-2022
  • (2012)DoubleGuardIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2011.599:4(511-524)Online publication date: 1-Jul-2012
  • (2011)Anomaly Detection in Network Traffic Based on Statistical Inference and \alpha-Stable ModelingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2011.148:4(494-509)Online publication date: 1-Jul-2011
  • Show More Cited By

Index Terms

  1. Keep your friends close: the necessity for updating an anomaly sensor with legitimate environment changes

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      AISec '09: Proceedings of the 2nd ACM workshop on Security and artificial intelligence
      November 2009
      72 pages
      ISBN:9781605587813
      DOI:10.1145/1654988
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 09 November 2009

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. anomaly detection
      2. concept drift
      3. model update

      Qualifiers

      • Research-article

      Conference

      CCS '09
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 94 of 231 submissions, 41%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)3
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 15 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2022)Anomaly Detection as a ServiceundefinedOnline publication date: 7-Mar-2022
      • (2012)DoubleGuardIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2011.599:4(511-524)Online publication date: 1-Jul-2012
      • (2011)Anomaly Detection in Network Traffic Based on Statistical Inference and \alpha-Stable ModelingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2011.148:4(494-509)Online publication date: 1-Jul-2011
      • (2011)Cross-Domain collaborative anomaly detectionProceedings of the 14th international conference on Recent Advances in Intrusion Detection10.1007/978-3-642-23644-0_8(142-160)Online publication date: 20-Sep-2011
      • (2010)Moving targetsProceedings of the 10th industrial conference on Advances in data mining: applications and theoretical aspects10.5555/1880672.1880674(1-16)Online publication date: 12-Jul-2010
      • (2010)Experimental results of cross-site exchange of web content Anomaly Detector alerts2010 IEEE International Conference on Technologies for Homeland Security (HST)10.1109/THS.2010.5655103(8-14)Online publication date: Nov-2010
      • (2010)Moving TargetsAdvances in Data Mining. Applications and Theoretical Aspects10.1007/978-3-642-14400-4_1(1-16)Online publication date: 2010

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media