A Study in the Feasibility of Performing Host-Based Anomaly Detection on Windows NT
نویسندگان
چکیده
Windows NT has become the dominant desktop platform. To date, host-based intrusion detection research has focused on Unixavored platforms. As a result, we have a large gap between the platform people use in practice and the platforms on which intrusion detection research is active. In this paper, we examine the feasibility of applying host-based intrusion detection to the Windows NT platform. Speci cally, we are interested in applying anomaly detection algorithms to Windows NT processes in order to detect novel attacks against these systems. We describe our previous experiences in program-based anomaly detection on Sun Microsystem's Solaris platform and describe an adaptation of this technique to the Windows NT platform. We describe the relevant issues in performing program-based anomaly detection on the Windows NT platform and the auditing facilities available on the platform for supporting this approach.
منابع مشابه
Moving dispersion method for statistical anomaly detection in intrusion detection systems
A unified method for statistical anomaly detection in intrusion detection systems is theoretically introduced. It is based on estimating a dispersion measure of numerical or symbolic data on successive moving windows in time and finding the times when a relative change of the dispersion measure is significant. Appropriate dispersion measures, relative differences, moving windows, as well as tec...
متن کاملRecent Developments in Cfengine
Cfengine is a distributed agent framework for performing policy-based network and system administration. It is in widespread use on Unix and NT systems. This paper describes recent changes to the cfengine tool-set, including architectural changes in order to facilitate anomaly detection research, public key methods, improved scheduling technology and search filters.
متن کاملWindows NT Attacks for the Evaluation of Intrusion Detection
Opinions, interpretations, conclusions, and recommendations are those of the author and are not necessarily endorsed by the United States Air Force. Abstract The 1999 DARPA Off-Line Intrusion Detection Evaluation provided a standard corpus for evaluating intrusion detection systems. It improved on the 1998 evaluation by providing training data containing no attacks to train anomaly detection sy...
متن کاملA Novel Ensemble Approach for Anomaly Detection in Wireless Sensor Networks Using Time-overlapped Sliding Windows
One of the most important issues concerning the sensor data in the Wireless Sensor Networks (WSNs) is the unexpected data which are acquired from the sensors. Today, there are numerous approaches for detecting anomalies in the WSNs, most of which are based on machine learning methods. In this research, we present a heuristic method based on the concept of “ensemble of classifiers” of data minin...
متن کاملDynamic anomaly detection by using incremental approximate PCA in AODV-based MANETs
Mobile Ad-hoc Networks (MANETs) by contrast of other networks have more vulnerability because of having nature properties such as dynamic topology and no infrastructure. Therefore, a considerable challenge for these networks, is a method expansion that to be able to specify anomalies with high accuracy at network dynamic topology alternation. In this paper, two methods proposed for dynamic anom...
متن کامل