User Intention-Based Traffic Dependence Analysis For Anomaly Detection
2012) User Intention-Based Traffic Dependence Analysis For Anomaly Detection. Technical Report TR-12-07, Computer Science, Virginia Tech. (
Full text available as:
This paper describes an approach for enforcing dependencies between network traffic and user activities for anomaly detection. We present a framework and algorithms that analyze user actions and network events on a host according to their dependencies. Discovering these relations is useful in identifying anomalous events on a host that are caused by software flaws or malicious code. To demonstrate the feasibility of user intention-based traffic dependence analysis, we implement a prototype called CR-Miner and perform extensive experimental evaluation of the accuracy, security, and efficiency of our algorithm. The results show that our algorithm can identify user intention-based traffic dependence with high accuracy (average 99:6% for 20 users) and low false alarms. Our prototype can successfully detect several pieces of HTTP-based real-world spyware. Our dependence analysis is fast with a minimal storage requirement. We give a thorough analysis on the security and robustness of the user intention-based traffic dependence approach.
|Item Type:||Departmental Technical Report|
|Subjects:||Computer Science > Parallel Computation|
|Deposited By:||Administrator, Eprints|
|Deposited On:||24 March 2012|