Track 3: Scalable Detection infrastructure - Harmonized Anomaly Detection Techniques

In general, anomaly detection techniques build a description of normal behavior, by training a model of a system under typical operation, and compare the normal model at run-time to detect deviations of interest. Anomaly detection systems may be used over any audit source to both train and test for deviations from the norm, though the most predominant approaches focus on building OS models through the study of sequences of system calls (Zhang 2005, Forrest 1996, Ghosh 2000). These approaches, however, suffer from several limitations, which explains, in our opinion, the fact that they have rarely been deployed in commercial settings. These limitations are due mainly to the following reasons:

• They operate in silos by focusing on one specific view or aspect of the system (usually through system calls) and not using all the data that is available for analysis and detection including the system state, file accesses, memory accesses, etc., hindering their ability to detect more subtle attacks such as the ones that can mimic the OS trace model.

• Techniques that are based on building models (whether they focus on sequences of events, file accesses, or any other audit information) require long training time, which makes them computationally infeasible. This is due to two main reasons: the overhead added by the monitoring process (this issue will be addressed in Tracks 1 and 2), and the large size of typical run-time information, often millions of lines long (this will be addressed in this track). This problem must be solved for any detection mechanism to be effective.

• They generate a very high number of false positives, which leads to either increased monitoring manpower, or more commonly, deactivation of the monitoring system by operators.

• They tend to be static. In other words, they do not allow varying the focus and resolution of what needs to be observed.

The objective of this research thread is therefore to address most of these limitations by developing a harmonized and integrated host-based anomaly detection infrastructure that will improve the ability to detect at runtime a great number of anomalies in the system while significantly reducing false positive rates. More specifically, we propose to use a multi-level analysis strategy as the core mechanism of our host-based anomaly detection infrastructure. We focus on three levels of analysis: Continuous Monitoring, Analysis Models, Feedback-Directed Capability.