[Colloq] Talk **Friday, May 30** 270 Dodge Hall
Rachel Bates
rachelb at ccs.neu.edu
Mon May 19 17:50:33 EDT 2003
CCIS Colloquium
Date: Friday, May 30, 2003
Time: 1:00 - 2:00 PM
Place: DG 270
Speaker: Professor Philip Chan, Florida Institute of Technology
Title: Learning Rules for Anomaly Detection
Abstract
Network intrusion detection systems often rely on matching patterns
that are gleaned from known attacks. While this method is reliable and
rarely produces false alarms, it has the obvious disadvantage that it
cannot detect novel attacks. An alternative approach is to learn a
model of normal traffic and report deviations, but these anomaly
models are typically restricted to modeling IP addresses and ports,
and do not include the application payload where many attacks
occur. We describe a novel approach to anomaly detection. We extract
a set of attributes from each event (IP packet or TCP connection),
including strings in the payload, and induce a set of conditional
rules which have a very low probability of being violated in a
nonstationary model of the normal network traffic in the training
data. In the 1999 DARPA intrusion detection evaluation data set, we
detect about 60% of 190 attacks at a false alarm rate of 10 per day
(100 total). We believe that anomaly detection can work because most
attacks exploit software or configuration errors that escaped field
testing, so are only exposed under unusual conditions.
Host: Agnes Chan
More information about the Colloq
mailing list