Host-based Anomaly Detection Using Wrapping File Systems

Shlomo Hershkop; Linh H. Bui; Ryan Ferst; Salvatore Stolfo

Host-based Anomaly Detection Using Wrapping File Systems
Hershkop, Shlomo
Bui, Linh H.
Ferst, Ryan
Stolfo, Salvatore
Technical reports
Computer Science
Permanent URL:
Columbia University Computer Science Technical Reports
Part Number:
We describe an anomaly detector, called FWRAP, for a Host-based Intrusion Detection System that monitors file system calls to detect anomalous accesses. The system is intended to be used not as a standalone detector but one of a correlated set of host-based sensors. The detector has two parts, a sensor that audits file systems accesses, and an unsupervised machine learning system that computes normal models of those accesses.We report on the architecture of the file system sensor implemented on Linux using the FiST file wrapper technology and results of the anomaly detector applied to experimental data acquired from this sensor. FWRAP employs the Probabilistic Anomaly Detection (PAD) algorithm previously reported in our work on Windows Registry Anomaly Detection. The detector is first trained by operating the host computer for some amount of time and a model specific to the target machine is automatically computed by PAD, intended to be deployed to a real-time detector. In this paper we describe the feature set used to model file system accesses, and the performance results of a set of experiments using the sensor while attacking a Linux host with a variety of malware exploits. The PAD detector achieved impressive detection rates in some cases over 95\% and about a 2\% false positive rate when alarming on anomalous processes.
Computer science
Item views:
text | xml
Suggested Citation:
Shlomo Hershkop, Linh H. Bui, Ryan Ferst, Salvatore Stolfo, 2004, Host-based Anomaly Detection Using Wrapping File Systems, Columbia University Academic Commons, http://hdl.handle.net/10022/AC:P:29221.

In Partnership with the Center for Digital Research and Scholarship at Columbia University Libraries/Information Services | Terms of Use | Copyright