[Colloq] REMINDER, talk, NOW, Friday, May 30, 1:00pm, 270 DG

Rachel Bates rachelb at ccs.neu.edu
Fri May 30 14:03:41 EDT 2003


The talk is NOW.

-----Original Message-----
From: colloq-bounces at lists.ccs.neu.edu
[mailto:colloq-bounces at lists.ccs.neu.edu]On Behalf Of Rachel Bates
Sent: Tuesday, May 20, 2003 3:12 PM
To: colloq at lists.ccs.neu.edu
Subject: [Colloq] Friday, May 30, 1:00pm, 270 DG


CCIS Colloquium
Date:  Friday, May 30, 2003
Time:  1:00 - 2:00 PM
Place: DG 270

Speaker:  Professor Philip Chan, Florida Institute of Technology

Title:  Learning Rules for Anomaly Detection

Abstract

Network intrusion detection systems often rely on matching patterns
that are gleaned from known attacks. While this method is reliable and
rarely produces false alarms, it has the obvious disadvantage that it
cannot detect novel attacks. An alternative approach is to learn a
model of normal traffic and report deviations, but these anomaly
models are typically restricted to modeling IP addresses and ports,
and do not include the application payload where many attacks
occur. We describe a novel approach to anomaly detection.  We extract
a set of attributes from each event (IP packet or TCP connection),
including strings in the payload, and induce a set of conditional
rules which have a very low probability of being violated in a
nonstationary model of the normal network traffic in the training
data. In the 1999 DARPA intrusion detection evaluation data set, we
detect about 60% of 190 attacks at a false alarm rate of 10 per day
(100 total). We believe that anomaly detection can work because most
attacks exploit software or configuration errors that escaped field
testing, so are only exposed under unusual conditions.

Host:  Agnes Chan
_______________________________________________
Colloq mailing list
Colloq at lists.ccs.neu.edu
https://lists.ccs.neu.edu/bin/listinfo/colloq



More information about the Colloq mailing list