anomaly detection in computer security and an application to.pdfVIP

Anomaly Detection in Computer Security and an Application to File System Accesses Salvatore J. Stolfo, Shlomo Hershkop, Linh H. Bui, Ryan Ferster, and Ke Wang Columbia University, New York, NY 10027, USA {sal, shlomo, lhb2001, rlf92, kewang}@cs.columbia.edu Abstract. We present an overview of anomaly detection used in com- puter security, and provide a detailed example of a host-based Intrusion Detection System that monitors file systems to detect abnormal accesses. The File Wrapper Anomaly Detector (FWRAP) has two parts, a sensor that audits file systems, and an unsupervised machine learning system that computes normal models of those accesses. FWRAP employs the Probabilistic Anomaly Detection (PAD) algorithm previously reported in our work on Windows Registry Anomaly Detection. FWRAP rep- resents a general approach to anomaly detection. The detector is first trained by operating the host computer for some amount of time and a model specific to the target machine is automatically computed by PAD. The model is then deployed to a real-time detector. In this paper we describe the feature set used to model file system accesses, and the performance results of a set of experiments using the sensor while attack- ing a Linux host with a variety of malware exploits. The PAD detector achieved impressive detection rates in some cases over 95% and about a 2% false positive rate when alarming on anomalous processes. Keywords: Host-Based Intrusion Detection, Anomaly Detection, File System, Wrapping 1 Introduction Widely used commercial Intrusion Detection Systems (IDS) are based on sig- nature matching algorithms. These algorithms match audit d