DocumentCode :
3366571
Title :
Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS
Author :
Tokhtabayev, Arnur G. ; Skormin, Victor A.
Author_Institution :
Binghamton Univ., Binghamton
fYear :
2007
fDate :
29-31 Aug. 2007
Firstpage :
203
Lastpage :
208
Abstract :
We propose an anomaly based IDS that results in a decreased rate of false positives. It employs the new means of host-based detection in the system call domain with correlating anomalies reported by different hosts to the IDS server. A novel anomaly detection mechanism operating at the host level treats an application or service as a non-stationary stochastic process and models it as a non- stationary Markov chain that significantly improves model accuracy. A server-based procedure for the detection of anomaly propagation is employed. While false alarms do not propagate within the network, detected anomaly propagation with a high degree of certainty can be attributed to a computer worm; otherwise the alarms are to be treated as false positives.
Keywords :
Markov processes; invasive software; IDS server; anomaly detection mechanism; anomaly propagation analysis; anomaly propagation detection; computer worm; host-based detection; nonstationary Markov chain; nonstationary Markov models; nonstationary stochastic process; server-based procedure; system call domain; Buffer overflow; Computer security; Computer worms; Frequency; Histograms; Information analysis; Information security; Intrusion detection; Stochastic processes; Viruses (medical); Anomaly Propagation; Intrusion detection; Markov Models;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Information Assurance and Security, 2007. IAS 2007. Third International Symposium on
Conference_Location :
Manchester
Print_ISBN :
0-7695-2876-7
Electronic_ISBN :
978-0-7695-2876-2
Type :
conf
DOI :
10.1109/IAS.2007.72
Filename :
4299775
Link To Document :
بازگشت