

Seurat: A Pointillist Approach to Anomaly Detection

14 years 5 months ago
Seurat: A Pointillist Approach to Anomaly Detection
Abstract. This paper proposes a new approach to detecting aggregated anomalous events by correlating host file system changes across space and time. Our approach is based on a key observation that many host state transitions of interest have both temporal and spatial locality. The intuition is that abnormal state changes, which may be hard to detect in isolation, become apparent when they are correlated with similar changes on other hosts. In particular, the goal is to detect similar, coincident changes to the patterns of file updates that are shared across multiple hosts. We have implemented this approach in a prototype system called Seurat and demonstrated its effectiveness using a combination of real workstation cluster traces gathered over three months, simulated attacks, and a manually launched Linux worm.
Yinglian Xie, Hyang-Ah Kim, David R. O'Hallaron, M
Added 02 Jul 2010
Updated 02 Jul 2010
Type Conference
Year 2004
Where RAID
Authors Yinglian Xie, Hyang-Ah Kim, David R. O'Hallaron, Michael K. Reiter, Hui Zhang
Comments (0)