FloGuard

Cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment

Saman Aliari Zonouz, Kaustubh R. Joshi, William H. Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

Detecting intrusions early enough can be a challenging and expensive endeavor. While intrusion detection techniques exist for many types of vulnerabilities, deploying them all to catch the small number of vulnerability exploitations that might actually exist for a given system is not cost-effective. In this paper, we present FloGuard, an on-line intrusion forensics and on-demand detector selection framework that provides systems with the ability to deploy the right detectors dynamically in a cost-effective manner when the system is threatened by an exploit. FloGuard relies on often easy-to-detect symptoms of attacks, e.g., participation in a botnet, and works backwards by iteratively deploying off-the-shelf detectors closer to the initial attack vector. The experiments using the EggDrop bot and systems with real vulnerabilities show that FloGuard can efficiently localize the attack origins even for unknown vulnerabilities, and can judiciously choose appropriate detectors to prevent them from being exploited in the future.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Pages338-354
Number of pages17
Volume6894 LNCS
DOIs
StatePublished - Sep 26 2011
Event30th International Conference on Computer Safety, Reliability and Security, SAFECOMP 2011 - Naples, Italy
Duration: Sep 19 2011Sep 22 2011

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6894 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other30th International Conference on Computer Safety, Reliability and Security, SAFECOMP 2011
CountryItaly
CityNaples
Period9/19/119/22/11

Fingerprint

Vulnerability
Detector
Detectors
Attack
Costs
Intrusion detection
Intrusion Detection
Exploitation
Choose
Unknown
Demand
Experiment
Experiments

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Zonouz, S. A., Joshi, K. R., & Sanders, W. H. (2011). FloGuard: Cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 6894 LNCS, pp. 338-354). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6894 LNCS). https://doi.org/10.1007/978-3-642-24270-0_25

FloGuard : Cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment. / Zonouz, Saman Aliari; Joshi, Kaustubh R.; Sanders, William H.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 6894 LNCS 2011. p. 338-354 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6894 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Zonouz, SA, Joshi, KR & Sanders, WH 2011, FloGuard: Cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). vol. 6894 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6894 LNCS, pp. 338-354, 30th International Conference on Computer Safety, Reliability and Security, SAFECOMP 2011, Naples, Italy, 9/19/11. https://doi.org/10.1007/978-3-642-24270-0_25
Zonouz SA, Joshi KR, Sanders WH. FloGuard: Cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 6894 LNCS. 2011. p. 338-354. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-24270-0_25
Zonouz, Saman Aliari ; Joshi, Kaustubh R. ; Sanders, William H. / FloGuard : Cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 6894 LNCS 2011. pp. 338-354 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{96d7bf52c3d147eda81a72874b3290a0,
title = "FloGuard: Cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment",
abstract = "Detecting intrusions early enough can be a challenging and expensive endeavor. While intrusion detection techniques exist for many types of vulnerabilities, deploying them all to catch the small number of vulnerability exploitations that might actually exist for a given system is not cost-effective. In this paper, we present FloGuard, an on-line intrusion forensics and on-demand detector selection framework that provides systems with the ability to deploy the right detectors dynamically in a cost-effective manner when the system is threatened by an exploit. FloGuard relies on often easy-to-detect symptoms of attacks, e.g., participation in a botnet, and works backwards by iteratively deploying off-the-shelf detectors closer to the initial attack vector. The experiments using the EggDrop bot and systems with real vulnerabilities show that FloGuard can efficiently localize the attack origins even for unknown vulnerabilities, and can judiciously choose appropriate detectors to prevent them from being exploited in the future.",
author = "Zonouz, {Saman Aliari} and Joshi, {Kaustubh R.} and Sanders, {William H.}",
year = "2011",
month = "9",
day = "26",
doi = "10.1007/978-3-642-24270-0_25",
language = "English",
isbn = "9783642242694",
volume = "6894 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "338--354",
booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

}

TY - GEN

T1 - FloGuard

T2 - Cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment

AU - Zonouz, Saman Aliari

AU - Joshi, Kaustubh R.

AU - Sanders, William H.

PY - 2011/9/26

Y1 - 2011/9/26

N2 - Detecting intrusions early enough can be a challenging and expensive endeavor. While intrusion detection techniques exist for many types of vulnerabilities, deploying them all to catch the small number of vulnerability exploitations that might actually exist for a given system is not cost-effective. In this paper, we present FloGuard, an on-line intrusion forensics and on-demand detector selection framework that provides systems with the ability to deploy the right detectors dynamically in a cost-effective manner when the system is threatened by an exploit. FloGuard relies on often easy-to-detect symptoms of attacks, e.g., participation in a botnet, and works backwards by iteratively deploying off-the-shelf detectors closer to the initial attack vector. The experiments using the EggDrop bot and systems with real vulnerabilities show that FloGuard can efficiently localize the attack origins even for unknown vulnerabilities, and can judiciously choose appropriate detectors to prevent them from being exploited in the future.

AB - Detecting intrusions early enough can be a challenging and expensive endeavor. While intrusion detection techniques exist for many types of vulnerabilities, deploying them all to catch the small number of vulnerability exploitations that might actually exist for a given system is not cost-effective. In this paper, we present FloGuard, an on-line intrusion forensics and on-demand detector selection framework that provides systems with the ability to deploy the right detectors dynamically in a cost-effective manner when the system is threatened by an exploit. FloGuard relies on often easy-to-detect symptoms of attacks, e.g., participation in a botnet, and works backwards by iteratively deploying off-the-shelf detectors closer to the initial attack vector. The experiments using the EggDrop bot and systems with real vulnerabilities show that FloGuard can efficiently localize the attack origins even for unknown vulnerabilities, and can judiciously choose appropriate detectors to prevent them from being exploited in the future.

UR - http://www.scopus.com/inward/record.url?scp=80052993114&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80052993114&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-24270-0_25

DO - 10.1007/978-3-642-24270-0_25

M3 - Conference contribution

SN - 9783642242694

VL - 6894 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 338

EP - 354

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

ER -