Title :
Methods for cluster-based incident detection
Author :
Carrier, Brian D. ; Matheny, Blake
Author_Institution :
Center for Educ. & Res. in Inf. Assurance & Security, Purdue Univ., West Lafayette, IN, USA
Abstract :
Here, we introduce a statistics-based anomaly detection technique for identifying systems that could have been compromised and had trojan executables installed. Attackers frequently install rootkits and other trojan files onto hosts they compromise so they can easily gain access in the future. Many detection systems use signatures to identify unauthorized files, but signatures for all platforms and patch levels do not exist in large-scale environments, such as government and university networks. Our anomaly detection system organizes hosts into clusters based on their files and uses statistics to identify those that should be examined in more detail.
Keywords :
authorisation; invasive software; message authentication; statistical analysis; workstation clusters; anomaly detection system; cluster-based incident detection method; digital signature; rootkits; statistics-based anomaly detection technique; trojan file; Databases; Fingerprint recognition; Government; Information security; Internet; Large-scale systems; Network servers; Operating systems; Performance gain; Statistics;
Conference_Titel :
Information Assurance Workshop, 2004. Proceedings. Second IEEE International
Print_ISBN :
0-7695-2117-7
DOI :
10.1109/IWIA.2004.1288039
