科技报告详细信息
Profile-based adaptive anomaly detection for network security.
Zhang, Pengchu C. (Sandia National Laboratories, Albuquerque, NM) ; Durgin, Nancy Ann
Sandia National Laboratories
关键词: Data Analysis;    Information Systems;    99 General And Miscellaneous//Mathematics, Computing, And Information Science;    Computer Security.;    Computer Networks;   
DOI  :  10.2172/875979
RP-ID  :  SAND2005-7293
RP-ID  :  AC04-94AL85000
RP-ID  :  875979
美国|英语
来源: UNT Digital Library
PDF
【 摘 要 】

As information systems become increasingly complex and pervasive, they become inextricably intertwined with the critical infrastructure of national, public, and private organizations. The problem of recognizing and evaluating threats against these complex, heterogeneous networks of cyber and physical components is a difficult one, yet a solution is vital to ensuring security. In this paper we investigate profile-based anomaly detection techniques that can be used to address this problem. We focus primarily on the area of network anomaly detection, but the approach could be extended to other problem domains. We investigate using several data analysis techniques to create profiles of network hosts and perform anomaly detection using those profiles. The ''profiles'' reduce multi-dimensional vectors representing ''normal behavior'' into fewer dimensions, thus allowing pattern and cluster discovery. New events are compared against the profiles, producing a quantitative measure of how ''anomalous'' the event is. Most network intrusion detection systems (IDSs) detect malicious behavior by searching for known patterns in the network traffic. This approach suffers from several weaknesses, including a lack of generalizability, an inability to detect stealthy or novel attacks, and lack of flexibility regarding alarm thresholds. Our research focuses on enhancing current IDS capabilities by addressing some of these shortcomings. We identify and evaluate promising techniques for data mining and machine-learning. The algorithms are ''trained'' by providing them with a series of data-points from ''normal'' network traffic. A successful algorithm can be trained automatically and efficiently, will have a low error rate (low false alarm and miss rates), and will be able to identify anomalies in ''pseudo real-time'' (i.e., while the intrusion is still in progress, rather than after the fact). We also build a prototype anomaly detection tool that demonstrates how the techniques might be integrated into an operational intrusion detection framework.

【 预 览 】
附件列表
Files Size Format View
875979.pdf 3065KB PDF download
  文献评价指标  
  下载次数:17次 浏览次数:12次