2010 International Workshop on Innovative Architecture for Future Generation High Performance (2004)
Charlotte, North Carolina
Apr. 8, 2004 to Apr. 9, 2004
Brian D. Carrier , Purdue University, West Lafayette, IN
Blake Matheny , Purdue University, West Lafayette, IN
In this paper, we introduce a statistics-based anomaly detection technique for identifying systems that could have been compromised and had trojan executables installed. Attackers frequently install rootkits and other trojan files onto hosts they compromise so they can easily gain access in the future. Many detection systems use signatures to identify unauthorized files, but signatures for all platforms and patch levels do not exist in large-scale environments, such as government and university networks. Our anomaly detection system organizes hosts into clusters based on their files and uses statistics to identify those that should be examined in more detail.
Brian D. Carrier, Blake Matheny, "Methods for Cluster-Based Incident Detection", 2010 International Workshop on Innovative Architecture for Future Generation High Performance, vol. 00, no. , pp. 71, 2004, doi:10.1109/IWIA.2004.1288039