Title :
Discovering Host Anomalies in Multi-source Information
Author :
Gao Cuixia ; Li Zhitang
Author_Institution :
Sch. of Comput. Sci. & Technol., Huazhong Univ. of Sci. & Technol., Wuhan, China
Abstract :
Anomaly detection means developing a reference profile of normal activity and comparing the ongoing activity against it. Anomaly detection is very promising because of its potential to detect unseen types of attacks. In this paper we present our preliminary research on host anomaly detection by fusing multi-source security information. We selected five types of information which may be good indicators of host anomalies. They are RAM usage, host network connections, usage of bandwidth, the alert of antivirus and the alert of our own project SATA. In the information fusion framework, the D-S evidence theory was used to fuse the dynamic host-related information. Some improvements are also discussed. We also use real-world environment to demonstrate the method´s capability for detecting host anomaly. We show that our prototype can successfully detect most of anomalies caused by DOS, scanning and other attacks.
Keywords :
inference mechanisms; random-access storage; security of data; D-S evidence theory; RAM usage; antivirus; dynamic host-related information; host anomaly detection; information fusion framework; multisource information; multisource security information; project SATA; reference profile; Computer science; Computer security; Detectors; Event detection; Expert systems; Fuses; Information analysis; Information security; Prototypes; Telecommunication traffic; D-S theory; anomaly detection; muiti-source information;
Conference_Titel :
Multimedia Information Networking and Security, 2009. MINES '09. International Conference on
Conference_Location :
Hubei
Print_ISBN :
978-0-7695-3843-3
Electronic_ISBN :
978-1-4244-5068-8
DOI :
10.1109/MINES.2009.150
