Topic
Anomaly-based intrusion detection system
About: Anomaly-based intrusion detection system is a research topic. Over the lifetime, 3902 publications have been published within this topic receiving 112362 citations.
Papers published on a yearly basis
Papers
More filters
••
01 Jan 2004TL;DR: A system for automated generation of attack signatures for network intrusion detection systems that successfully created precise traffic signatures that otherwise would have required the skills and time of a security officer to inspect the traffic manually.
Abstract: This paper describes a system for automated generation of attack signatures for network intrusion detection systems. Our system applies pattern-matching techniques and protocol conformance checks on multiple levels in the protocol hierarchy to network traffic captured a honeypot system. We present results of running the system on an unprotected cable modem connection for 24 hours. The system successfully created precise traffic signatures that otherwise would have required the skills and time of a security officer to inspect the traffic manually.
708 citations
••
27 Oct 2003TL;DR: An intrusion detection system that uses a number of different anomaly detection techniques to detect attacks against web servers and web-based applications and derives automatically the parameter profiles associated with web applications from the analyzed data.
Abstract: Web-based vulnerabilities represent a substantial portion of the security exposures of computer networks. In order to detect known web-based attacks, misuse detection systems are equipped with a large number of signatures. Unfortunately, it is difficult to keep up with the daily disclosure of web-related vulnerabilities, and, in addition, vulnerabilities may be introduced by installation-specific web-based applications. Therefore, misuse detection systems should be complemented with anomaly detection systems. This paper presents an intrusion detection system that uses a number of different anomaly detection techniques to detect attacks against web servers and web-based applications. The system correlates the server-side programs referenced by client queries with the parameters contained in these queries. The application-specific characteristics of the parameters allow the system to perform focused analysis and produce a reduced number of false positives. The system derives automatically the parameter profiles associated with web applications (e.g., length and structure of parameters) from the analyzed data. Therefore, it can be deployed in very different application environments without having to perform time-consuming tuning and configuration.
661 citations
••
TL;DR: This study investigated the performance of two feature selection algorithms involving Bayesian networks and Classification and Regression Trees and an ensemble of BN and CART and proposed an hybrid architecture for combining different feature selection algorithm for real world intrusion detection.
634 citations
••
18 Nov 2002TL;DR: A formal framework for alert correlation, the implementation of an off-line alert correlator based on the framework, and the evaluation of the method with the 2000 DARPA intrusion detection scenario specific datasets demonstrate the potential of the proposed method and its advantage over alternative methods.
Abstract: Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. This paper presents a practical technique to address this issue. The proposed approach constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of intrusions. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful, while the consequence of an intrusion is the possible outcome of the intrusion. Based on the prerequisites and consequences of different types of attacks, the proposed approach correlates alerts by (partially) matching the consequence of some previous alerts and the prerequisite of some later ones. The contribution of this paper includes a formal framework for alert correlation, the implementation of an off-line alert correlator based on the framework, and the evaluation of our method with the 2000 DARPA intrusion detection scenario specific datasets. Our experience and experimental results have demonstrated the potential of the proposed method and its advantage over alternative methods.
548 citations