m02-032 - “Lead Inventors: Salvatore J. Stolfo, Ph.D.; Eleazar Eskin; Leonid Portnoy
Intrusion Detection for Computer Networks Rely on Databases of Known Intrusion Signatures:
Existing intrusion detection (ID) systems that rely upon databases of known intrusion signatures or labeled data cannot detect heretofore-unobserved types of intrusions (e.g. zero-day intrusions) until they are manually identified and their signatures are added to a database of known intrusions. This leaves computer systems protected by ID systems vulnerable to unknown types of intrusions.
Anomaly Detection Is Intrusion Detection in Unlabeled Network Data:
This technology, named unsupervised anomaly detection, is an intrusion detection algorithm that can detect intrusion events given unlabeled network data. Assuming that the network data it processes contains far more normal instances than intrusions and that the intrusions are qualitatively different from normal instances, it uses a clustering algorithm to analyze the unlabeled network data. Instances that appear in small clusters are labeled as anomalous and therefore deemed to be intrusion attempts.
Applications:
• Can be used to protect computer systems from intrusions without manual training of the ID system.
• Can be used semi-automatically to identify potentially suspicious network events for system administrators to focus on.
Advantages:
• Unlike ID systems that rely purely on signatures, this technology can identify unknown types of intrusions with a low false positive rate. It can therefore protect systems from zero-day intrusions.
• This technology obviates the need to manually update the identified/classified signatures or training data used by the ID.
Patent Status: Patent Pending
Licensing Status: Available for Sponsored Research Support
Publications: Intrusion Detection with Unlabeled Data Using Clustering, DMSA-2001, Nov. 5-8, 2001.”
Patent No. 8,544,087
↧