libAnomaly

Description

Intrusion detection systems typically fall into one of two categories: misuse detection and anomaly detection. In misuse detection systems, attacks are explicitly codified as signatures of some form. They are characterized by a low rate false positives but, to a greater or lesser extent, suffer from an inability to generalize from the signatures in their signature set. That is, new attacks, and even simple variations of attacks for which there are signatures, are often undetected.

Anomaly detection systems detect attacks by comparing current system behavior to some representation of normal system behavior. This representation may be a software or protocol specification but more often takes the form of learning models that have been trained on some set of features that describe activity in the monitored system -- examples include fields in audit records, web requests, and system call invocations. Since anomaly detection systems don't include attack descriptions they have the advantage of being able to detect novel attacks that are distinguishable from normal system behavior in some way.

libAnomaly was created to make research on anomaly detection systems easier by providing implementations of features common to most anomaly detectors:

• A collection of learning models that operate on common types (strings, integers)
• Implementations of some common data types (strings, integers, doubles, lists)
• Methods for aggregating anomaly scores from multiple models

libAnomaly is implemented as a C++ library with an emphasis on efficiency and portability. It is currently in use by two anomaly detectors:

• syscallsAnomaly: anomaly detection on system call arguments for Linux (Snare) and Solaris (BSM)
• webAnomaly: anomaly detection on HTTP access logs in the Common Log Format (CLF)

Software

Publications

People