Report for 2004-2005

Activities:

In anomaly detection, we continue to study the problem of "program behavior monitoring". We developed an analysis technique that uses "environment-sensitive" information to construct more accurate models of system call arguments. This work will be published in the International Symposium on Recent Advances in Intrusion Detection (RAID), September 2005. We also introduced a new kind of attacks, "evasion by blending in with normal traffic", on network anomaly detection systems, and are developing a theoretical framework to evaluate the "hardness of evasion" of an anomaly detection system.

We also studied the problem of "alert correlation". We have developed attack plan recognition algorithms, and automated the entire workflow of alert reduction, aggregation, correlation, and scenario recognition. This work was published in the 20th Annual Computer Security Applications Conference (ACSAC 2004)}, December 2004.

We studied the performance characteristics of real-time intrusion detection systems, and developed theoretical models, which can then provide guides for building adaptive real-time intrusion detection systems. This work was published in the 43rd IEEE Conference on Decision and Control (CDC 2004)}, December 2004.

Papers published in 2004-2005:

  1. Jon Giffin, David Dagon, Somesh Jha, Wenke Lee, and Barton Miller. Environment-Sensitive Intrusion Detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), September 2005.
  2. David Dagon, Wenke Lee, and Richard Lipton. Protecting Secret Data from Insider Attacks. In Proceedings of The Ninth International Conference on Financial Cryptography and Data Security (FC'05), Roseau, Dominica, February 2005
  3. Guofei Gu, David Dagon, Xinzhou Qin, Monirul I. Sharif, Wenke Lee, and George F. Riley. Worm Detection, Early Warning, and Response Based on Local Victim Information. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), Tucson, Arizona, December 2004
  4. Xinzhou Qin and Wenke Lee. 2004. Attack Plan Recognition and Prediction Using Causal Networks. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), Tucson, Arizona, December 2004
  5. Joao B.D. Cabrera, Jaykumar Gosar, Wenke Lee, and Raman K. Mehra. 2004. On the Statistical Distribution of Processing Times in Network Intrusion Detection. In Proceedings of the 43rd IEEE Conference on Decision and Control (CDC 2004), Bahamas, December 2004
  6. George F. Riley, Monirul I. Sharif, and Wenke Lee. 2004. Simulating Internet Worms. In Proceedings of the 12th Annual Meeting of the IEEE/ACM International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS), Volendam, The Netherlands, October 2004

Findings:

In our work on constructing "environment-sensitive" anomaly detection models of programs, we showed that our analysis techniques improved argument recovery by 55% to 99% in our experiments. Using the average reachability measure, we demonstrated that the value of whole-program data-flow analysis and environment-sensitive models. On four test programs, we improved the precision of context-sensitive models from 77% to 100%.

In our work on characterizing the performance of real-time intrusion detection systerms. we found that: rule checking accounts for about 75% of the total processing time; 2) the distribution of rule checking times is remarkably bimodal; 3) header processing times have a small variance and small correlation coefficients; 4) in contrast, the distribution of payload processing times displays high variance, in a form that can be generally characterized as "slightly heavy-tailed". Explicitly, payload processing times have a Lognormal upper tail, clipped at the top 1%. This extreme 1% upper tail is better fit by the Exponential distribution.