Cross-Layer Anomaly Correlation and Response Selection
A cyber attack modifies the behavior of its target application or system such that it is outside of its intended or de-sired range of behavior. The challenge is that one cannot predict the attack mechanism that will cause the modified behavior or when and how the target's behavior will diverge. Thus, if one restricts one's sensors to a particular aspect of the system or looks for specific malicious behavior, one is likely to miss the attack. This paper describes an approach for simultaneously examining multiple network and host abstraction layers to discover anomalous behavior and then correlating anomalies to determine whether an attack is taking place and, when applicable, select an automatic response.