NEW SCHEMES FOR ANOMALY SCORE AGGREGATION AND THRESHOLDING

Salem Benferhat; Karim Tabia

doi:10.5220/0001927900210028

NEW SCHEMES FOR ANOMALY SCORE AGGREGATION AND THRESHOLDING

Salem Benferhat, Karim Tabia

2008

Abstract

Anomaly-based approaches often require multiple profiles and models in order to characterize different aspects of normal behaviors. In particular, anomaly scores of audit events are obtained by aggregating several local anomaly scores. Remarkably, most works focus on profile/model definition while critical issues of anomaly measuring, aggregating and thresholding are dealt with ”simplistically”. This paper addresses the issue of anomaly scoring and aggregating which is a recurring problem in anomaly-based approaches. We propose a Bayesian-based scheme for aggregating anomaly scores in a multi-model approach and propose a two-stage thresholding scheme in order to meet real-time detection requirements. The basic idea of our scheme is the fact that anomalous behaviors induce either intra-model anomalies or inter-model anomalies. Our experimental studies, carried out on recent and real htt p traffic, show for instance that most attacks induce only intra-model anomalies and can be effectively detected in real-time.

Download

Paper Citation

in Harvard Style

Benferhat S. and Tabia K. (2008). NEW SCHEMES FOR ANOMALY SCORE AGGREGATION AND THRESHOLDING . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 21-28. DOI: 10.5220/0001927900210028

in Bibtex Style

@conference{secrypt08,
author={Salem Benferhat and Karim Tabia},
title={NEW SCHEMES FOR ANOMALY SCORE AGGREGATION AND THRESHOLDING},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},
year={2008},
pages={21-28},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001927900210028},
isbn={978-989-8111-59-3},
}

in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
TI - NEW SCHEMES FOR ANOMALY SCORE AGGREGATION AND THRESHOLDING
SN - 978-989-8111-59-3
AU - Benferhat S.
AU - Tabia K.
PY - 2008
SP - 21
EP - 28
DO - 10.5220/0001927900210028