Title :
Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS
Author :
Tokhtabayev, Arnur G. ; Skormin, Victor A.
Author_Institution :
Binghamton Univ., Binghamton
Abstract :
We propose an anomaly based IDS that results in a decreased rate of false positives. It employs the new means of host-based detection in the system call domain with correlating anomalies reported by different hosts to the IDS server. A novel anomaly detection mechanism operating at the host level treats an application or service as a non-stationary stochastic process and models it as a non- stationary Markov chain that significantly improves model accuracy. A server-based procedure for the detection of anomaly propagation is employed. While false alarms do not propagate within the network, detected anomaly propagation with a high degree of certainty can be attributed to a computer worm; otherwise the alarms are to be treated as false positives.
Keywords :
Markov processes; invasive software; IDS server; anomaly detection mechanism; anomaly propagation analysis; anomaly propagation detection; computer worm; host-based detection; nonstationary Markov chain; nonstationary Markov models; nonstationary stochastic process; server-based procedure; system call domain; Buffer overflow; Computer security; Computer worms; Frequency; Histograms; Information analysis; Information security; Intrusion detection; Stochastic processes; Viruses (medical); Anomaly Propagation; Intrusion detection; Markov Models;
Conference_Titel :
Information Assurance and Security, 2007. IAS 2007. Third International Symposium on
Conference_Location :
Manchester
Print_ISBN :
0-7695-2876-7
Electronic_ISBN :
978-0-7695-2876-2
DOI :
10.1109/IAS.2007.72