Discovering Host Anomalies in Multi-Source Information
Anomaly detection means developing a reference profile of normal activity and comparing the ongoing activity against it. Anomaly detection is very promising because of its potential to detect unseen types of attacks. In this paper we present our preliminary research on host anomaly detection by fusing multisource security information. We selected five types of information which may be good indicators of host anomalies. They are RAM usage, host network connections, usage of bandwidth, the alert of antivirus and the alert of our own project SATA. In the information fusion framework, the D-S evidence theory was used to fuse the dynamic host-related information. Some improvements are also discussed. We also use real-world environment to demonstrate the methods capability for detecting host anomaly. We show that our prototype can successfully detect most of anomalies caused by DOS, scanning and other attacks.
D-S theory anomaly detection muiti-source information
Gao Cuixia Li Zhitang
School of Computer Science and Technology Huazhong University of Science and Technology
国际会议
武汉
英文
1030-1033
2009-11-18(万方平台首次上网日期,不代表论文的发表时间)