Impact of IT Monoculture on Behavioral End Host Intrusion Detection

Abstract : In this paper, we study the impact of today's IT policies, defined based upon a monoculture approach, on the performance of endhost anomaly detectors. This approach leads to the uniform configuration of Host intrusion detection systems (HIDS) across all hosts in an enterprise networks. We assess the performance impact this policy has from the individual's point of view by analyzing network traces collected from 350 enterprise users. We uncover a great deal of diversity in the user population in terms of the “tail†behavior, i.e., the component which matters for anomaly detection systems. We demonstrate that the monoculture approach to HIDS configuration results in users that experience wildly different false positive and false negatives rates. We then introduce new policies, based upon leveraging this diversity and show that not only do they dramatically improve performance for the vast majority of users, but they also reduce the number of false positives arriving in centralized IT operation centers, and can reduce attack strength.
Type de document :
Communication dans un congrès
ACM SIGCOMM Workshop on Research on Enterprise Networking ― WREN, 2009, Barcelone, Spain. pp.27―36, 2009
Liste complète des métadonnées

Littérature citée [26 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-00795994
Contributeur : Alain Monteil <>
Soumis le : jeudi 7 mars 2013 - 11:26:25
Dernière modification le : mercredi 14 décembre 2016 - 01:06:05
Document(s) archivé(s) le : lundi 17 juin 2013 - 11:12:37

Fichier

BCF09.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-00795994, version 1

Collections

Citation

Dhiman Barman, Jaideep Chandrashekar, Nina Taft, Michalis Faloutsos, Lim Huang, et al.. Impact of IT Monoculture on Behavioral End Host Intrusion Detection. ACM SIGCOMM Workshop on Research on Enterprise Networking ― WREN, 2009, Barcelone, Spain. pp.27―36, 2009. 〈hal-00795994〉

Partager

Métriques

Consultations de
la notice

247

Téléchargements du document

453