COTS Diversity Based Intrusion Detection and Application to Web Servers

Totel, Éric; Majorczyk, Frédéric; Mé, Ludovic

doi:10.1007/11663812_3

Cited by 43 publications

(32 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the context of intrusion detection networks, a number of works (such as the ones presented in [32,33]) use the concept of diversity in detection capabilities to increase robustness when detecting security threats (e.g., by using different detection techniques and configurations to monitor the same set of requirements). Nevertheless, as far as we know none of them applies diversity to trust with the aim of increasing the quality and resilience of collaborative attack detection.…”

Section: Related Workmentioning

confidence: 99%

Trustworthy placements: Improving quality and resilience in collaborative attack detection

et al. 2014

View full text Add to dashboard Cite

In distributed and collaborative attack detection systems decisions are made on the basis of the events reported by many sensors, e.g., Intrusion Detection Systems placed across various network locations. In some cases such events originate at locations over which we have little control, for example because they belong to an organisation that shares information with us. Blindly accepting such reports as real encompasses several risks, as sensors might be dishonest, unreliable or simply compromised. In these situations trust plays an important role in deciding whether alerts should be believed or not. In this work we present an approach to maximise the quality of the information gathered in such systems and the resilience against dishonest behaviours. We introduce the notion of trust diversity amongst sensors and argue that detection configurations with such a property perform much better in many respects. Using reputation as a proxy for trust, we introduce an adaptive scheme to dynamically reconfigure the network of detection sensors. Experiments confirm an overall increase both in detection quality and resilience against compromise and misbehaviour.

show abstract

Section: Related Workmentioning

confidence: 99%

Trustworthy placements: Improving quality and resilience in collaborative attack detection

et al. 2014

View full text Add to dashboard Cite

show abstract

“…This architecture is then utilized for developing diversity-based intrusion detection techniques [6,10,11,16,25]. Most of these techniques use Commercial Off-The-Shelf (COTS) software to build the detection models.…”

Section: Related Workmentioning

confidence: 99%

“…Most of these techniques use Commercial Off-The-Shelf (COTS) software to build the detection models. Among those schemes, the techniques proposed by Just et al [16] and Totel et al [25] are output voting schemes, which only compare the final outputs (HTTP status codes and files) of the diverse software to detect intrusions. However, as many of the intrusions may not result in observable deviation in the responses of those server software, such intrusions can evade detections of these techniques.…”

Section: Related Workmentioning

confidence: 99%

On Detection of Erratic Arguments

Han

Yan

Deng

et al. 2012

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Due to the erratic nature, the value of a function argument in one normal program execution could become illegal in another normal execution context. Attacks utilizing such erratic arguments are able to evade detections as fine-grained context information is unavailable in many existing detection schemes. In order to obtain such fine-grained context information, a precise model on the internal program states has to be built, which is impractical especially monitoring a closed source program alone. In this paper, we propose an intrusion detection scheme which builds on two diverse programs providing semantically-close functionality. Our model learns underlying semantic correlation of the argument values in these programs, and consequently gains more accurate context information compared to existing schemes. Through experiments, we show that such context information is effective in detecting attacks which manipulate erratic arguments with comparable false positive rates.

show abstract

“…DADDi [8] (Dependable Anomaly Detection with Diagnosis) implements an IDS for web servers with an architecture composed by three different COTS servers: an Apache on Mac-OS X, an IIS on Windows 2000 and a thttpd on Linux. The project extends the comparison to the complete network output of the COTS servers.…”

Section: Black-box Intrusion Detection Using Diversitymentioning

confidence: 99%

“…Most of the time, anomaly detection requires to explicitly build the model of the normal behavior, either statically or dynamically (e.g., during a learning phase). Previous work [9,6,8] has introduced a way to avoid building the behavior model explicitly, while allowing the built IDS to detect new or unknown attacks. This previous work is based on a dependability technique: N-version programming [1].…”

Section: Introductionmentioning

confidence: 99%

Anomaly Detection with Diagnosis in Diversified Systems using Information Flow Graphs

Majorczyk

Totel

Mé

et al.

Proceedings of the Ifip Tc 11 23rd International Information Security Conference

Self Cite

View full text Add to dashboard Cite

Design diversity is a well-known method to ensure fault tolerance. Such a method has also been applied successfully in various projects to provide intrusion detection and tolerance. Two types of approaches have been investigated: the comparison of the outputs of the diversified services without any knowledge of the internals of the server (black box approach) or an intrusive observation of the activities that occur on the diversified servers (gray box approach). Previous work on black-box approaches have shown that some types of attacks cannot be detected. In this paper, we introduce a gray-box approach, on the one hand to increase the detection coverage, and on the other hand to add some diagnosis capability to the IDS. Our gray-box approach is based on the comparison of information flow graphs generated by the activities on the servers.

show abstract

COTS Diversity Based Intrusion Detection and Application to Web Servers

Cited by 43 publications

References 12 publications

Trustworthy placements: Improving quality and resilience in collaborative attack detection

Trustworthy placements: Improving quality and resilience in collaborative attack detection

On Detection of Erratic Arguments

Anomaly Detection with Diagnosis in Diversified Systems using Information Flow Graphs

Contact Info

Product

Resources

About