Meta IDS environments: an event message anomaly detection approach

Abstract

This paper presents an anomaly detection approach for application in Meta IDS environments, where locally generated event messages from several domains are centrally processed. The basic approach has been successfully used for detection of abnormal traffic structures in computer networks. It creates directed graphs from address specifications contained within event messages and generates clusterings of the graphs. Large differences between subsequent clusterings indicate anomalies. This anomaly detection approach is part of an intrusion warning system (IWS) for dynamic coalition environments. It is designed to indicate suspicious actions and tendencies and to provide decision support on how to react on anomalies. Real-world data, mixed with data from a simulated Internet worm, is used to analyze the system. The results prove the applicability of our approach.