Ensemble: Community-based anomaly detection for popular applications

Feng Qian, Zhiyun Qian, Z. Morley Mao, Atul Prakash

Research output: Chapter in Book/Report/Conference proceedingConference contribution


A major challenge in securing end-user systems is the risk of popular applications being hijacked at run-time. Traditional measures do not prevent such threats because the code itself is unmodified and local anomaly detectors are difficult to tune for correct thresholds due to insufficient training data. Given that the target of attackers are often popular applications for communication and social networking, we propose Ensemble, a novel, automated approach based on a trusted community of users contributing system-call level local behavioral profiles of their applications to a global profile merging engine. The trust can be assumed in cases such as enterprise environments and can be further policed by reputation systems, e.g., by exploiting trust relationships inherently associated with social networks. The generated global profile can be used by all community users for local anomaly detection or prevention. Evaluation results based on a malware pool of 57 exploits demonstrate that Ensemble is an effective defense technique for communities of about 300 or more users as in enterprise environments.

Original languageEnglish (US)
Title of host publicationSecurity and Privacy in Communication Networks - 5th International ICST Conference, SecureComm 2009, Revised Selected Papers
Number of pages22
StatePublished - 2009
Externally publishedYes
Event5th International ICST Conference on Security and Privacy in Communication Networks, SecureComm 2009 - Athens, Greece
Duration: Sep 14 2009Sep 18 2009

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
Volume19 LNICST
ISSN (Print)1867-8211


Other5th International ICST Conference on Security and Privacy in Communication Networks, SecureComm 2009


Dive into the research topics of 'Ensemble: Community-based anomaly detection for popular applications'. Together they form a unique fingerprint.

Cite this