In anomaly detection, we continue to study the problem of "program behavior monitoring". We developed an analysis technique that uses "environment-sensitive" information to construct more accurate models of system call arguments. This work will be published in the International Symposium on Recent Advances in Intrusion Detection (RAID), September 2005. We also introduced a new kind of attacks, "evasion by blending in with normal traffic", on network anomaly detection systems, and are developing a theoretical framework to evaluate the "hardness of evasion" of an anomaly detection system.
We also studied the problem of "alert correlation". We have developed attack plan recognition algorithms, and automated the entire workflow of alert reduction, aggregation, correlation, and scenario recognition. This work was published in the 20th Annual Computer Security Applications Conference (ACSAC 2004)}, December 2004.
We studied the performance characteristics of real-time intrusion detection systems, and developed theoretical models, which can then provide guides for building adaptive real-time intrusion detection systems. This work was published in the 43rd IEEE Conference on Decision and Control (CDC 2004)}, December 2004.
Papers published in 2004-2005:
In our work on constructing "environment-sensitive" anomaly detection models of programs, we showed that our analysis techniques improved argument recovery by 55% to 99% in our experiments. Using the average reachability measure, we demonstrated that the value of whole-program data-flow analysis and environment-sensitive models. On four test programs, we improved the precision of context-sensitive models from 77% to 100%.
In our work on characterizing the performance of real-time intrusion detection systerms. we found that: rule checking accounts for about 75% of the total processing time; 2) the distribution of rule checking times is remarkably bimodal; 3) header processing times have a small variance and small correlation coefficients; 4) in contrast, the distribution of payload processing times displays high variance, in a form that can be generally characterized as "slightly heavy-tailed". Explicitly, payload processing times have a Lognormal upper tail, clipped at the top 1%. This extreme 1% upper tail is better fit by the Exponential distribution.