Cross-domain Collaborative Anomaly Detection: So Far Yet So Close

Nathaniel Gordon Boggs; Sharath Hiremagalore; Angelos Stavrou; Salvatore Stolfo

Cross-domain Collaborative Anomaly Detection: So Far Yet So Close
Boggs, Nathaniel Gordon
Hiremagalore, Sharath
Stavrou, Angelos
Stolfo, Salvatore
Computer Science
Persistent URL:
Lecture Notes in Computer Science
Part Number:
Book/Journal Title:
Recent Advances in Intrusion Detection: 14th International Symposium, Raid 2011, Menlo Park, Ca, USA, September 20-21, 2011: Proceedings
Book Author:
Sommer, Robin
Balzarotti, Davide
Maier, Gregor
Publisher Location:
New York
Web applications have emerged as the primary means of access to vital and sensitive services such as online payment systems and databases storing personally identifiable information. Unfortunately, the need for ubiquitous and often anonymous access exposes web servers to adversaries. Indeed, network-borne zero-day attacks pose a critical and widespread threat to web servers that cannot be mitigated by the use of signature-based intrusion detection systems. To detect previously unseen attacks, we correlate web requests containing user submitted content across multiple web servers that is deemed abnormal by local Content Anomaly Detection (CAD) sensors. The cross-site information exchange happens in real-time leveraging privacy preserving data structures. We filter out high entropy and rarely seen legitimate requests reducing the amount of data and time an operator has to spend sifting through alerts. Our results come from a fully working prototype using eleven weeks of real-world data from production web servers. During that period, we identify at least three application-specific attacks not belonging to an existing class of web attacks as well as a wide-range of traditional classes of attacks including SQL injection, directory traversal, and code inclusion without using human specified knowledge or input.
Computer science
Item views
text | xml
Suggested Citation:
Nathaniel Gordon Boggs, Sharath Hiremagalore, Angelos Stavrou, Salvatore Stolfo, , Cross-domain Collaborative Anomaly Detection: So Far Yet So Close, Columbia University Academic Commons, .

Columbia University Libraries | Policies | FAQ