scispace - formally typeset
Topic

Anomaly-based intrusion detection system

About: Anomaly-based intrusion detection system is a(n) research topic. Over the lifetime, 3902 publication(s) have been published within this topic receiving 112362 citation(s).

...read more

Papers
More filters

Proceedings Article
Martin Roesch1Institutions (1)
12 Nov 1999-
TL;DR: Snort provides a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected.

...read more

Abstract: Network intrusion detection systems (NIDS) are an important part of any network security architecture. They provide a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected. Commercial NIDS have many differences, but Information Systems departments must face the commonalities that they share such as significant system footprint, complex deployment and high monetary cost. Snort was designed to address these issues.

...read more

3,388 citations


Journal ArticleDOI
Dorothy E. Denning1Institutions (1)
TL;DR: A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described, based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage.

...read more

Abstract: A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusion-detection expert system.

...read more

3,171 citations


Journal ArticleDOI
TL;DR: The main challenges to be dealt with for the wide scale deployment of anomaly-based intrusion detectors, with special emphasis on assessment issues are outlined.

...read more

Abstract: The Internet and computer networks are exposed to an increasing number of security threats. With new types of attacks appearing continually, developing flexible and adaptive security oriented approaches is a severe challenge. In this context, anomaly-based network intrusion detection techniques are a valuable technology to protect target systems and networks against malicious activities. However, despite the variety of such methods described in the literature in recent years, security tools incorporating anomaly detection functionalities are just starting to appear, and several important problems remain to be solved. This paper begins with a review of the most well-known anomaly-based intrusion detection techniques. Then, available platforms, systems under development and research projects in the area are presented. Finally, we outline the main challenges to be dealt with for the wide scale deployment of anomaly-based intrusion detectors, with special emphasis on assessment issues.

...read more

1,483 citations


ReportDOI
Wenke Lee1, Salvatore J. Stolfo1Institutions (1)
26 Jan 1998-
TL;DR: An agent-based architecture for intrusion detection systems where the learning agents continuously compute and provide the updated (detection) models to the detection agents is proposed.

...read more

Abstract: In this paper we discuss our research in developing general and systematic methods for intrusion detection. The key ideas are to use data mining techniques to discover consistent and useful patterns of system features that describe program and user behavior, and use the set of relevant system features to compute (inductively learned) classifiers that can recognize anomalies and known intrusions. Using experiments on the sendmail system call data and the network tcpdump data, we demonstrate that we can construct concise and accurate classifiers to detect anomalies. We provide an overview on two general data mining algorithms that we have implemented: the association rules algorithm and the frequent episodes algorithm. These algorithms can be used to compute the intra-and inter-audit record patterns, which are essential in describing program or user behavior. The discovered patterns can guide the audit data gathering process and facilitate feature selection. To meet the challenges of both efficient learning (mining) and real-time detection, we propose an agent-based architecture for intrusion detection systems where the learning agents continuously compute and provide the updated (detection) models to the detection agents.

...read more

1,327 citations


2


Proceedings ArticleDOI
Wenke Lee1, Salvatore J. Stolfo1, Kui W. Mok1Institutions (1)
14 May 1999-
TL;DR: A data mining framework for adaptively building Intrusion Detection (ID) models is described, to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities.

...read more

Abstract: There is often the need to update an installed intrusion detection system (IDS) due to new attack methods or upgraded computing environments. Since many current IDSs are constructed by manual encoding of expert knowledge, changes to IDSs are expensive and slow. We describe a data mining framework for adaptively building Intrusion Detection (ID) models. The central idea is to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities. These rules can then be used for misuse detection and anomaly detection. New detection models are incorporated into an existing IDS through a meta-learning (or co-operative learning) process, which produces a meta detection model that combines evidence from multiple models. We discuss the strengths of our data mining programs, namely, classification, meta-learning, association rules, and frequent episodes. We report on the results of applying these programs to the extensively gathered network audit data for the 1998 DARPA Intrusion Detection Evaluation Program.

...read more

1,265 citations


14


Network Information
Related Topics (5)
Intrusion detection system

28.4K papers, 509.5K citations

91% related
Network security

23.9K papers, 349.5K citations

90% related
Denial-of-service attack

10.2K papers, 157.8K citations

89% related
Security information and event management

14.1K papers, 254.1K citations

89% related
Role-based access control

5.1K papers, 109.1K citations

88% related
Performance
Metrics
No. of papers in the topic in previous years
YearPapers
202119
202024
201917
201834
2017117
2016222

Top Attributes

Show by:

Topic's top 5 most impactful authors

Ajith Abraham

10 papers, 943 citations

Giovanni Vigna

8 papers, 1K citations

Giorgio Giacinto

7 papers, 573 citations

Hiroki Takakura

6 papers, 109 citations

Ali A. Ghorbani

6 papers, 259 citations