Journal ArticleDOI
The 1999 DARPA off-line intrusion detection evaluation
Richard P. Lippmann,J.W. Haines,D. J. Fried,Jonathan Korba,Kumar Das +4 more
- Vol. 34, Iss: 4, pp 579-595
TLDR
This report describes new and known approaches and strategies that were used to make attacks stealthy for the 1999 DARPA Intrusion Detection Evaluation, and includes many examples of stealthy scripts that can be use to implement stealthy procedures.Abstract:
Eight sites participated in the second Defense Advanced Research Projects Agency (DARPA) off-line intrusion detection evaluation in 1999. A test bed generated live background traffic similar to that on a government site containing hundreds of users on thousands of hosts. More than 200 instances of 58 attack types were launched against victim UNIX and Windows NT hosts in three weeks of training data and two weeks of test data. False-alarm rates were low (less than 10 per day). The best detection was provided by network-based systems for old probe and old denial-of-service (DoS) attacks and by host-based systems for Solaris user-to-root (U2R) attacks. The best overall performance would have been provided by a combined system that used both host- and network-based intrusion detection. Detection accuracy was poor for previously unseen, new, stealthy and Windows NT attacks. Ten of the 58 attack types were completely missed by all systems. Systems missed attacks because signatures for old attacks did not generalize to new attacks, auditing was not available on all hosts, and protocols and TCP services were not analyzed at all or to the depth required. Promising capabilities were demonstrated by host-based systems, anomaly detection systems and a system that performs forensic analysis on file system data.read more
Citations
More filters
Journal ArticleDOI
Anomaly-based network intrusion detection: Techniques, systems and challenges
TL;DR: The main challenges to be dealt with for the wide scale deployment of anomaly-based intrusion detectors, with special emphasis on assessment issues are outlined.
Journal ArticleDOI
A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection
Anna L. Buczak,Erhan Guven +1 more
TL;DR: The complexity of ML/DM algorithms is addressed, discussion of challenges for using ML/ DM for cyber security is presented, and some recommendations on when to use a given method are provided.
Journal ArticleDOI
An overview of anomaly detection techniques: Existing solutions and latest technological trends
Animesh Patcha,Jung-Min Park +1 more
TL;DR: This paper provides a comprehensive survey of anomaly detection systems and hybrid intrusion detection systems of the recent past and present and discusses recent technological trends in anomaly detection and identifies open problems and challenges in this area.
Proceedings ArticleDOI
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection
Robin Sommer,Vern Paxson +1 more
TL;DR: The main claim is that the task of finding attacks is fundamentally different from these other applications, making it significantly harder for the intrusion detection community to employ machine learning effectively.
Journal ArticleDOI
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory
TL;DR: The purpose of this article is to attempt to identify the shortcomings of the Lincoln Lab effort in the hope that future efforts of this kind will be placed on a sounder footing.
References
More filters
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
TL;DR: Three classes of attacks which exploit fundamentally problems with the reliability of passive protocol analysis are defined--insertion, evasion and denial of service attacks--and how to apply these three types of attacks to IP and TCP protocol analysis is described.
Journal ArticleDOI
Towards a taxonomy of intrusion-detection systems
TL;DR: A taxonomy of intrusion-detection systems is introduced that highlights the various aspects of this area and is illustrated by numerous examples from past and current projects.
Proceedings ArticleDOI
Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation
Richard P. Lippmann,D. J. Fried,Isaac Graf,J.W. Haines,K. R. Kendall,D. J. McClung,D. J. Weber,Seth Webster,D. Wyschogrod,Robert K. Cunningham,M.A. Zissman +10 more
TL;DR: In this paper, an intrusion detection evaluation test bed was developed which generated normal traffic similar to that on a government site containing 100's of users on 1000's of hosts, and more than 300 instances of 38 different automated attacks were launched against victim UNIX hosts in seven weeks of training data and two weeks of test data.
Learning program behavior profiles for intrusion detection
TL;DR: Three anomaly detection techniques for profiling program behavior that evolve from memorization to generalization are presented, which start from a simple equality matching algorithm for determining anomalous behavior, and evolve to a feed-forward backpropagation neural network for learning program behavior.