Distributed Data Sanitization and Sharing for Efficient ZeroDay Attack Detection

1
Distributed Data Sanitization and Sharing for
Efficient Zero-Day Attack Detection

• Gabriela F. Cretu, Angelos Stavrou,
• Salvatore J. Stolfo, Angelos Keromytis
• Department of Computer Science
• Columbia University

2
Motivation

• We focus on zero-day attacks, but
• Anomaly detection systems can generate large
  numbers of false positives if the training data
  is of poor quality or not sanitized.
• Sanitized training data (with no attack data and
  noise) can improve the performance of an anomaly
  detection system

3
Intuition

• Attacks are a minority in large network traces
  cleaning training data can reduce false positive
  rate.
• Different sites have distinct and diverse
  content flows collaboration across sites
  increases the efficiency of anomaly detectors
• Exchanged models are used to validate attacks
  from false positives

4
Architecture
Local architecture
5
Results

• Testing with unsanitized model
• false positive rate 0.00214
• worm packets detection rate 29
• Testing with sanitized model
• false positive rate drops to 0.000254
• worm packets detection rate 100

6
Future work

• Apply our method to other anomaly detectors
• Find metrics for measuring the diversity of
  different sites
• Add a calibration phase for setting both voting
  and FFP thresholds
• Use the diversity of IP sources to prevent
  training attacks