Cooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems

Network-centric computing systems manifest as Grids, clusters, Intranets, LANs, or P2P networks, etc. These distributed systems are subject to security breaches in an open network environment. Conventional intrusion detection systems (IDS) use the misuse model at the packet level. An anomaly detection system (ADS) follows a normal-use model at Internet connection level. We integrate these two alert systems into a Cooperative Anomaly and Intrusion Detection System (CAIDS). This integrated system detects not only known attacks but also unknown anomalies. The system integration is enabled by Internet episode datamining, anomaly classification, alert correlation, and automated signature generation. We have tested the CAIDS performance at USC with an Internet trace of 23.35 millions of traffic packets, intermixed with 200 attacks from the Lincoln Lab IDS dataset. We achieved a combined detection rate up to 75% at a false alarm rate lower than 5%. These results are sharply improved from 38% in using the network IDS Snort and from 50% in using the ADS alone. Our system detects many novel attacks hidden in telnet, http, ftp, smtp, Email, pop3, and authentication services. The CAIDS offers correlated alerts to intrusions on distributed hosts or anomalies with disrupted connectivity in the component networks.