| The host-based anomaly intrusion detection technique is to judge or find out whether a host is facing outside attack through monitoring the deviation of host normal activities,and it is an important method of network security protection.Many methods have been applied to host-based anomaly intrusion detection, such as signature detection,anomaly detection,status detection and etc.Although all these methods have their advantages but unfortunately they also have some shortages,for example,when intrusion signature changes the signature-based method will fail to detect the intrusion or the detection accuracy will decrease or the rate of false positive and false negative will increase.The data analyzed usually depends on the OS version,so different agent should be installed on different host according to its specific configure,this feature will affect the running performance and stability of the host. So the research of finding new methods and technique to detect host anomaly intrusion has become a hot problem of network security.We aim at to solving the problems mentioned above and focus our research on analyzing multiple types of data which is irrespective of host OS and the data we selected is representative and easy to gather and compute. We try to get good tradeoff between high applicability,high detection accuracy and low false positive and false negative.Host real-time traffic,system resource usage pattern,access information of system kernel files and alerts of other security tools usually imply some traces of anomalies that triggered by intrusion or attack. So by using appropriate methods we can detect host anomaly intrusion activities from these hints.A host-based anomaly detection method is proposed based on the host real-time traffic.Real-time traffic can be good indicator of host anomaly and analysis in depth of it can give exceptional results.Firstly we select thirteen variables to represent the host traffic, and then use Bayesian logistic regression model, which was developed using a combination of expert experiences and manually-flagged training data to evaluate the probability of host anomaly.The Bayesian approach seeks to assign priors to each of the co-efficient based on expert opinion of the contribution each variable makes.This process is followed in order to develop a model that is based on a combination of expert opinion and the models generated by the data itself. Given that the resulting logistic regression model contains 13 variables we wanted to reduce the number of variables in order to reduce the overhead associated with calculating the values for each of the different variables and to therefore reduce the processing time for each event. We used the Akaike Information Criterion (AIC) to determine what variables could be removed without significantly affecting the model's fit to the data.A novel method for anomaly detection based on host resource availability (HRA) is presented.The security status of host is relative to its resource usage patterns.Abnormal behaviors of hosts are often incarnated by the usage of resources such as CPU, memory, bandwidth, etc.Firstly, an index system is established to describe the usage of host resource. Secondly, then a normal profile of HRA is extracted by experiment.We use analytic hierarchy process (AHP) to calculate the subjective weights and information entropy to calculate the objective weights of each index.We also calculate the optical synthetic weights which combine the subjective and objective weights together.Finally based on the host resource availability an algorithm called Threshold Anomaly Detection Algorithm(TADA) is put forward according to the particularity of HRA.Application testing shows that our method has a satisfied result.A novel system was designed for fusing security information from multiple heterogeneous agents to detect host anomaly. In the information fusion module D-S evidence theory was used to fuse dynamic information from heterogeneous agents.We select some typical security information such as host real-time traffic,host resource,the status change of key system files,the alerts of anti-virus tools and the alerts of IDS-alerts processing system.In the basic probability assignment function of host relative evidence an adaptive mechanism was introduced to adapt to dynamic host activities.The experiments verify that this framework can remarkably reduce the rate of false negative and enhance detection accuracy.
|
PDF Full Text Request