Impact of IT Monoculture on Behavioral End Host Intrusion Detection - Inria - Institut national de recherche en sciences et technologies du numérique Accéder directement au contenu
Communication Dans Un Congrès Année : 2009

Impact of IT Monoculture on Behavioral End Host Intrusion Detection

Résumé

In this paper, we study the impact of today's IT policies, defined based upon a monoculture approach, on the performance of endhost anomaly detectors. This approach leads to the uniform configuration of Host intrusion detection systems (HIDS) across all hosts in an enterprise networks. We assess the performance impact this policy has from the individual's point of view by analyzing network traces collected from 350 enterprise users. We uncover a great deal of diversity in the user population in terms of the “tail†behavior, i.e., the component which matters for anomaly detection systems. We demonstrate that the monoculture approach to HIDS configuration results in users that experience wildly different false positive and false negatives rates. We then introduce new policies, based upon leveraging this diversity and show that not only do they dramatically improve performance for the vast majority of users, but they also reduce the number of false positives arriving in centralized IT operation centers, and can reduce attack strength.

Domaines

Autre [cs.OH]
Fichier principal
Vignette du fichier
BCF09.pdf (340.66 Ko) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)
Loading...

Dates et versions

hal-00795994 , version 1 (07-03-2013)

Identifiants

  • HAL Id : hal-00795994 , version 1

Citer

Dhiman Barman, Jaideep Chandrashekar, Nina Taft, Michalis Faloutsos, Lim Huang, et al.. Impact of IT Monoculture on Behavioral End Host Intrusion Detection. ACM SIGCOMM Workshop on Research on Enterprise Networking ― WREN, 2009, Barcelone, Spain. pp.27―36. ⟨hal-00795994⟩
215 Consultations
459 Téléchargements

Partager

Gmail Facebook X LinkedIn More