Host-based Anomaly Detection Using Wrapping File Systems

Shlomo Hershkop; Linh H. Bui; Ryan Ferst; Salvatore Stolfo

Host-based Anomaly Detection Using Wrapping File Systems
Hershkop, Shlomo
Bui, Linh H.
Ferst, Ryan
Stolfo, Salvatore
Computer Science
Persistent URL:
Columbia University Computer Science Technical Reports
Part Number:
Department of Computer Science, Columbia University
Publisher Location:
New York
We describe an anomaly detector, called FWRAP, for a Host-based Intrusion Detection System that monitors file system calls to detect anomalous accesses. The system is intended to be used not as a standalone detector but one of a correlated set of host-based sensors. The detector has two parts, a sensor that audits file systems accesses, and an unsupervised machine learning system that computes normal models of those accesses.We report on the architecture of the file system sensor implemented on Linux using the FiST file wrapper technology and results of the anomaly detector applied to experimental data acquired from this sensor. FWRAP employs the Probabilistic Anomaly Detection (PAD) algorithm previously reported in our work on Windows Registry Anomaly Detection. The detector is first trained by operating the host computer for some amount of time and a model specific to the target machine is automatically computed by PAD, intended to be deployed to a real-time detector. In this paper we describe the feature set used to model file system accesses, and the performance results of a set of experiments using the sensor while attacking a Linux host with a variety of malware exploits. The PAD detector achieved impressive detection rates in some cases over 95\% and about a 2\% false positive rate when alarming on anomalous processes.
Computer science
Item views
text | xml
Suggested Citation:
Shlomo Hershkop, Linh H. Bui, Ryan Ferst, Salvatore Stolfo, , Host-based Anomaly Detection Using Wrapping File Systems, Columbia University Academic Commons, .

Columbia University Libraries | Policies | FAQ