High Order Non-Stationary Markov Models and Anomaly Propagation Analysis in Intrusion Detection System (IDS)

摘要

A new concept targeted to decrease false positive rates of anomaly based intrusion detection operating in the system call domain is proposed. To mitigate false positives, network based correlation of collected anomalies from different hosts is suggested, as well as a new means of host-based anomaly detection. The concept of anomaly propagation is based on the premise that false alarms do not propagate within the network. Unless anomaly propagation is observed, alarms are to be treated as false positives. The rationale behind the concept lies in the fact that the most common feature of worms and viruses is self-replication. As replication takes place, a malicious code propagating through the network would carry out the same activity resulting in almost identical system call sequences and triggering the same alarm at different hosts. The alarm propagation effect can be used to distinguish true alarms from false positives . At the host-level, a new anomaly detection mechanism operating that employs non-stationary Markov models is proposed.