Experimental Results of Cross-Site Exchange of Web Content Anomaly Detector Alerts
The authors present the initial experimental findings from the collaborative deployment of network Anomaly Detection (AD) sensors. The system examines the ingress http traffic and correlates AD alerts from two administratively disjoint domains: Columbia University and George Mason University. They show that, by exchanging packet content alerts between the two sites, they can achieve zero-day attack detection capabilities with a relatively small number of false positives. Furthermore, they empirically demonstrate that the vast majority of common abnormal data represent attack vectors rather than false positives. They posit that cross-site collaboration enables the automated detection of common abnormal data which are likely to ferret out zero-day attacks with high accuracy and minimal human intervention.