Skip to Main content Skip to Navigation
Conference papers

Impact of IT Monoculture on Behavioral End Host Intrusion Detection

Abstract : In this paper, we study the impact of today's IT policies, defined based upon a monoculture approach, on the performance of endhost anomaly detectors. This approach leads to the uniform configuration of Host intrusion detection systems (HIDS) across all hosts in an enterprise networks. We assess the performance impact this policy has from the individual's point of view by analyzing network traces collected from 350 enterprise users. We uncover a great deal of diversity in the user population in terms of the “tail†behavior, i.e., the component which matters for anomaly detection systems. We demonstrate that the monoculture approach to HIDS configuration results in users that experience wildly different false positive and false negatives rates. We then introduce new policies, based upon leveraging this diversity and show that not only do they dramatically improve performance for the vast majority of users, but they also reduce the number of false positives arriving in centralized IT operation centers, and can reduce attack strength.
Document type :
Conference papers
Complete list of metadata

Cited literature [26 references]  Display  Hide  Download
Contributor : Alain Monteil <>
Submitted on : Thursday, March 7, 2013 - 11:26:25 AM
Last modification on : Monday, October 12, 2020 - 10:30:26 AM
Long-term archiving on: : Monday, June 17, 2013 - 11:12:37 AM


Files produced by the author(s)


  • HAL Id : hal-00795994, version 1



Dhiman Barman, Jaideep Chandrashekar, Nina Taft, Michalis Faloutsos, Lim Huang, et al.. Impact of IT Monoculture on Behavioral End Host Intrusion Detection. ACM SIGCOMM Workshop on Research on Enterprise Networking ― WREN, 2009, Barcelone, Spain. pp.27―36. ⟨hal-00795994⟩



Record views


Files downloads