ACM Transactions on Information and System Security (TISSEC)
The Case against Accuracy Estimation for Comparing Induction Algorithms
ICML '98 Proceedings of the Fifteenth International Conference on Machine Learning
Intrusion Detection Testing and Benchmarking Methodologies
IEEE-IWIA '03 Proceedings of the First IEEE International Workshop on Information Assurance (IWIA'03)
A Serial Combination of Anomaly and Misuse IDSes Applied to HTTP Traffic
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Detection of Web-Based Attacks through Markovian Protocol Parsing
ISCC '05 Proceedings of the 10th IEEE Symposium on Computers and Communications
Expert Systems with Applications: An International Journal
Proposals on assessment environments for anomaly-based network intrusion detection systems
CRITIS'06 Proceedings of the First international conference on Critical Information Infrastructures Security
| Hi-index | 0.00 |
Previous works has shown that Markov modelling can be used to model the payloads of the observed packets from a selected protocol with applications to anomaly-based intrusion detection. The detection is made based on a normality score derived from the model and a tunable threshold, which allows the choice of the operating point in terms of detection and false positive rates. In this work a hybrid system is proposed and evaluated based on this approach. The detection is made by explicit modelling of both the attack and the normal payloads and the joint use of a recognizer and a threshold based detector. First, the recognizer evaluates the probabilities of a payload being normal or attack and a probability of missclassification. The dubious results are passed through the detector, which evaluates the normality score. The system allows the choice of the operating point and improves the performance of the basic system.