•    Overview

    • The goal of the project is to detect compromised or misconfigured hosts by correlating file system changes across different machines.  Most of the current intrusion techniques result in modification, insertion, or deletion of system configuration files, binary files, libraries, log files, or system kernel.   However, as the operation system and application software become more and more complex, users, even system administrators usually lose track of the up to date machine configuration status and file system updates.  One existing solution is using tools such as tripwire to report file system updates daily by manually specifying a set of rules before hand. A rule violation means possible malicious attacks.  Since each host has its own unique configuration, system administrator needs to specify a unique rule set for each host correspondingly, which task is extremely time consuming and thus not often used in practice.


    Figure 1. Pointillist Approach to Intrusion Detection

    An important observation is that attacks usually have strong temporal and spatial correlations across multiple hosts in one administration domain. Since attacks often propagate quickly, if one host is compromised, then it is likely that another host get compromised soon afterwards. On the other hand, machines in the same administration domain usually have similar configurations. Thus they tend to have common vulnerabilities. If one host is compromised by an attack, then it is likely that another host nearby will also be compromised by the same attack. Therefore, correlating file system changes across multiple machines may provide us a way to detect attacks early on without manually specified rules.

  •    People

    • Faculty

      • David O'Hallaron
      Mike Reiter
      Hui Zhang

    • Students

      • Yinglian Xie
      Hyang-Ah Kim

  •    Download

    As a first step, we have implemented a multi-platform tool called glitter that scans file updates on each host daily to help us understand and model file system changes across different machines. The functionality of glitter is very similar to that of tripwire, but glitter supports both Windows and Linux operating systems.   You can find more information about the software here. You need an id and password to access this download page. Please, contact Yinglian Xie (ylxie at cs dot cmu dot edu) for the id and password.

    Continue to download from here.

  •    Publication

    • Y. Xie, H. Kim, D. O'Hallaron, M. Reiter, and H. Zhang, "Seurat: A Pointillist Approach to Anomaly Detection," In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID2004), Sophia Antipolis, French Riviera, France, September 2004. [pdf] [ps] [Presentation slides]

  •    Related Links

    • Mingle project