Patricia Moat And Zachary Birnbaum
Modern cyber warfare demonstrates an arms race be-tween mutually escalating malware and Intrusion Detection System (IDS) technologies. We put forward a novel process for defining system behavior with the end result being an effective IDS. System calls accumulated under normal network operation are converted to graph components, and used as part of the IDS normalcy profile. In this paper, we present the following contributions: An algorithm to effectively find a system normalcy profile; An algorithm to find anomalous deviations; An algorithm to recognize previously detected attacks; A powerful, real time visualization system which supports expert driven reinforcement of learned behavior and decision making. We developed an efficient method for storing and processing the normalcy profile. Our IDS has the ability to instantly adopt changes in the normalcy definition. Our results demonstrate that achieving efficient anomaly detection is possible through the intelligent application of graph processing algorithms to system behavioral profiling.
Last Updated: 4/23/13