TY - GEN
T1 - FloGuard
T2 - 30th International Conference on Computer Safety, Reliability and Security, SAFECOMP 2011
AU - Zonouz, Saman Aliari
AU - Joshi, Kaustubh R.
AU - Sanders, William H.
PY - 2011
Y1 - 2011
N2 - Detecting intrusions early enough can be a challenging and expensive endeavor. While intrusion detection techniques exist for many types of vulnerabilities, deploying them all to catch the small number of vulnerability exploitations that might actually exist for a given system is not cost-effective. In this paper, we present FloGuard, an on-line intrusion forensics and on-demand detector selection framework that provides systems with the ability to deploy the right detectors dynamically in a cost-effective manner when the system is threatened by an exploit. FloGuard relies on often easy-to-detect symptoms of attacks, e.g., participation in a botnet, and works backwards by iteratively deploying off-the-shelf detectors closer to the initial attack vector. The experiments using the EggDrop bot and systems with real vulnerabilities show that FloGuard can efficiently localize the attack origins even for unknown vulnerabilities, and can judiciously choose appropriate detectors to prevent them from being exploited in the future.
AB - Detecting intrusions early enough can be a challenging and expensive endeavor. While intrusion detection techniques exist for many types of vulnerabilities, deploying them all to catch the small number of vulnerability exploitations that might actually exist for a given system is not cost-effective. In this paper, we present FloGuard, an on-line intrusion forensics and on-demand detector selection framework that provides systems with the ability to deploy the right detectors dynamically in a cost-effective manner when the system is threatened by an exploit. FloGuard relies on often easy-to-detect symptoms of attacks, e.g., participation in a botnet, and works backwards by iteratively deploying off-the-shelf detectors closer to the initial attack vector. The experiments using the EggDrop bot and systems with real vulnerabilities show that FloGuard can efficiently localize the attack origins even for unknown vulnerabilities, and can judiciously choose appropriate detectors to prevent them from being exploited in the future.
UR - http://www.scopus.com/inward/record.url?scp=80052993114&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=80052993114&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-24270-0_25
DO - 10.1007/978-3-642-24270-0_25
M3 - Conference contribution
AN - SCOPUS:80052993114
SN - 9783642242694
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 338
EP - 354
BT - Computer Safety, Reliability, and Security - 30th International Conference, SAFECOMP 2011, Proceedings
Y2 - 19 September 2011 through 22 September 2011
ER -