Locality-based profile analysis for secondary intrusion detection

While a firewall at the perimeter of a local network provides the first line of defense against attackers, many intrusion incidents result from successftd penetration of the firewall. The compromise of one computer puts the entire network at risk. We propose a distributed personal Intrusion Detection System (IDS) that provides local anomaly detection as well as centralized traffic analysis. The system first builds profiles for normal network activity and then labels as suspicious any events that deviate from the normal profiles. The normal profiles are based on variations in connection-based behavior at each individual host. Deviations at each host are recorded using a local weight assignment scheme and then further processed by the central analyzer to build a weighted link graph representing the overall network abnormality. As local networks become more vulnerable to inside attack, our system reinforces security to prevent corruption from the inside.