A Methodology for Testing Intrusion Detection Systems
IEEE Transactions on Software Engineering
Testing and evaluating computer intrusion detection systems
Communications of the ACM
ISS RealSecure pushes past newer IDS players
Network Computing
Network Computing
The 1999 DARPA off-line intrusion detection evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Cover story: dragon claws its way to the top
Network Computing
The 1998 Lincoln Laboratory IDS Evaluation
RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Throttling Viruses: Restricting propagation to defeat malicious mobile code
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Network traffic anomaly detection based on packet bytes
Proceedings of the 2003 ACM symposium on Applied computing
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
Diagnosing network-wide traffic anomalies
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
IEEE Security and Privacy
Characterization of network-wide anomalies in traffic flows
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Modeling and Automated Containment of Worms
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
The devil and packet trace anonymization
ACM SIGCOMM Computer Communication Review
A first look at modern enterprise traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Combining filtering and statistical methods for anomaly detection
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Detecting anomalies in network traffic using maximum entropy estimation
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Implementing and testing a virus throttle
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Sensitivity of PCA for traffic anomaly detection
Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Improving accuracy of immune-inspired malware detectors by using intelligent features
Proceedings of the 10th annual conference on Genetic and evolutionary computation
Comparing anomaly detection techniques for HTTP
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Empirical analysis of rate limiting mechanisms
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
What is the impact of p2p traffic on anomaly detection?
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Accuracy improving guidelines for network anomaly detection systems
Journal in Computer Virology
Using code bloat to obfuscate evolved network traffic
EvoCOMNET'10 Proceedings of the 2010 international conference on Applications of Evolutionary Computation - Volume Part II
Revisiting traffic anomaly detection using software defined networking
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Mining Concept Drifting Network Traffic in Cloud Computing Environments
CCGRID '12 Proceedings of the 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (ccgrid 2012)
Automated Anomaly Detector Adaptation using Adaptive Threshold Tuning
ACM Transactions on Information and System Security (TISSEC)
POSTER: Revisiting anomaly detection system design philosophy
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Hi-index | 0.00 |
Since the seminal 1998/1999 DARPA evaluations of intrusion detection systems, network attacks have evolved considerably. In particular, after the CodeRed worm of 2001, the volume and sophistication of self-propagating malicious code threats have been increasing at an alarming rate. Many anomaly detectors have been proposed, especially in the past few years, to combat these new and emerging network attacks. At this time, it is important to evaluate existing anomaly detectors to determine and learn from their strengths and shortcomings. In this paper, we evaluate the performance of eight prominent network-based anomaly detectors under malicious portscan attacks. These ADSs are evaluated on four criteria: accuracy (ROC curves), scalability (with respect to varying normal and attack traffic rates, and deployment points), complexity (CPU and memory requirements during training and classification,) and detection delay. These criteria are evaluated using two independently collected datasets with complementary strengths. Our results show that a few of the anomaly detectors provide high accuracy on one of the two datasets, but are unable to scale their accuracy across the datasets. Based on our experiments, we identify promising guidelines to improve the accuracy and scalability of existing and future anomaly detectors.