Skip to Main content Skip to Navigation
Conference papers

Impact of IT Monoculture on Behavioral End Host Intrusion Detection

Dhiman Barman 1 Jaideep Chandrashekar 2 Nina Taft 2 Michalis Faloutsos 1 Lim Huang 2 Frédéric Giroire 3 
3 MASCOTTE - Algorithms, simulation, combinatorics and optimization for telecommunications
CRISAM - Inria Sophia Antipolis - Méditerranée , Laboratoire I3S - COMRED - COMmunications, Réseaux, systèmes Embarqués et Distribués
Abstract : In this paper, we study the impact of today's IT policies, defined based upon a monoculture approach, on the performance of endhost anomaly detectors. This approach leads to the uniform configuration of Host intrusion detection systems (HIDS) across all hosts in an enterprise networks. We assess the performance impact this policy has from the individual's point of view by analyzing network traces collected from 350 enterprise users. We uncover a great deal of diversity in the user population in terms of the “tail†behavior, i.e., the component which matters for anomaly detection systems. We demonstrate that the monoculture approach to HIDS configuration results in users that experience wildly different false positive and false negatives rates. We then introduce new policies, based upon leveraging this diversity and show that not only do they dramatically improve performance for the vast majority of users, but they also reduce the number of false positives arriving in centralized IT operation centers, and can reduce attack strength.
Document type :
Conference papers
Complete list of metadata

Cited literature [26 references]  Display  Hide  Download
Contributor : Alain Monteil Connect in order to contact the contributor
Submitted on : Thursday, March 7, 2013 - 11:26:25 AM
Last modification on : Saturday, June 25, 2022 - 11:09:49 PM
Long-term archiving on: : Monday, June 17, 2013 - 11:12:37 AM


Files produced by the author(s)


  • HAL Id : hal-00795994, version 1



Dhiman Barman, Jaideep Chandrashekar, Nina Taft, Michalis Faloutsos, Lim Huang, et al.. Impact of IT Monoculture on Behavioral End Host Intrusion Detection. ACM SIGCOMM Workshop on Research on Enterprise Networking ― WREN, 2009, Barcelone, Spain. pp.27―36. ⟨hal-00795994⟩



Record views


Files downloads