Of daemons and men: A file system approach towards intrusion detection |
| |
| Affiliation: | 1. School of Mathematical Sciences, Anhui University, Hefei, Anhui 230601, China;2. Signal and Image Processing Institute, Department of Electrical Engineering, University of Southern California, Los Angeles, CA 90007, USA;1. Department of Instrumentation & Control, SVIT, Vasad, Gujarat, India;2. Department of Instrumentation & Control, Nirma University, Ahmedabad, Gujarat, India;1. School of Computer Science and Technology, Dalian University of Technology, Dalian, Liaoning 116023, China;2. School of Life Science and Biotechnology, Dalian University of Technology, Dalian, Liaoning 116023, China;1. Department of Applied Physics, University of Calcutta, Kolkata, India;2. Department of Electrical Engineering, Jadavpur University, Kolkata 700032, India;1. State Key Lab of Mechanical System and Vibration, School of Mechanical Engineering, Shanghai Jiao Tong University, Shanghai 200240, China;2. Department of Systems Engineering & Engineering Management, City University of Hong Kong, Hong Kong, China;3. State Key Laboratory of High Performance Complex Manufacturing, Central South University, Changsha, Hunan, China;4. Department of Automation, Shanghai Jiao Tong University, Shanghai 200240, China;1. College of Electronic Information and Control Engineering, Beijing University of Technology, Beijing 100124, China;2. School of Electrical and Electronic Engineering, East China Jiaotong University, Nanchang 330013, China;3. Beijing Key Laboratory of Computational Intelligence and Intelligent System, Beijing 100124, China |
| |
| Abstract: | We present FI2DS a file system, host based anomaly detection system that monitors Basic Security Module (BSM) audit records and determines whether a web server has been compromised by comparing monitored activity generated from the web server to a normal usage profile. Additionally, we propose a set of features extracted from file system specific BSM audit records, as well as an IDS that identifies attacks based on a decision engine that employs one-class classification using a moving window on incoming data. We have used two different machine learning algorithms, Support Vector Machines (SVMs) and Gaussian Mixture Models (GMMs) and our evaluation is performed on real-world datasets collected from three web servers and a honeynet. Results are very promising, since FI2DS detection rates range between 91% and 95.9% with corresponding false positive rates ranging between 8.1× 10−2 % and 9.3× 10−4 %. Comparison of FI2DS to another state-of-the-art filesystem-based IDS, FWRAP, indicates higher effectiveness of the proposed IDS in all three datasets. Within the context of this paper FI2DS is evaluated for the web daemon user; nevertheless, it can be directly extended to model any daemon-user for both intrusion detection and postmortem analysis. |
| |
| Keywords: | Intrusion detection systems Information security Machine learning Data mining File system Anomaly detection |
| 本文献已被 ScienceDirect 等数据库收录! |
|
