WALTHAM, MASS. -- Anomaly detectors looking for zero-day and polymorphic attacks have a much better batting average when results from more than one site are analyzed together rather than individually, researchers told an IEEE homeland security conference this week.
Analyzing attack data from more than one Web server at different sites can help shorten the list of possible attacks that network security staffers have to investigate. It also dramatically reduces the number of false positives that get flagged, says Nathan Boggs, a Columbia University graduate student who presented research by his school and George Mason University at the 2010 IEEE International Conference for Homeland Security.
While the research used just two sites, if the number of sites were increased the results would likely improve, Boggs said.
As it was, the rates of false positives at the two sites were 2.7% and 5.1% when anomalies detected at each site were analyzed in isolation. When all the anomalies from both sites were shared and only those common to both sites were considered, the rate of false positives dropped to .032%, according to the research Boggs presented.
At the same time, however, sorting out just the common anomalies led to fewer actual attacks being discovered, dropping from 304 at one site and 243 at the other to 92 when the anomaly data was shared, he said. But if the number of sites polled were increased, the rate of detecting actual attacks would likely improve, he said, because the more an anomaly shows up, the more likely it was sent intentionally. "The odds of similar anomalies are very low," Boggs said.
Detecting anomalies that might be attacks at individual sites yielded 41,232 incidents at one site and 20,678 at another, according to the research. That included 1,131 false positives at the first site and 1,070 at the second, Boggs said.
Of all the anomalies found, the detectors discovered 340 true positives at one site and 243 at the other, he said.
When anomalies from both sites were shared, they had 12,353 potential incidents in common, he said, which included 92 true positives and four false positives. Whether data from each site was analyzed or shared data was analyzed, the rate of true positives was low, ranging from .7% to 1.1%.
Some security executives have already discovered that sharing attack information is valuable. For example, members of the Bay Area CSO Council informally share information about attacks their networks suffer in an effort to flag those that seem to be widespread or pose significant threats.
Read more about wide area network in Network World's Wide Area Network section.