Foundations of statistical natural language processing
Foundations of statistical natural language processing
Temporal sequence learning and data reduction for anomaly detection
ACM Transactions on Information and System Security (TISSEC)
Characterizing the behavior of a program using multiple-length N-grams
Proceedings of the 2000 workshop on New security paradigms
Anomaly Detection in Embedded Systems
IEEE Transactions on Computers - Special issue on fault-tolerant embedded systems
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Benchmarking Anomaly-Based Detection Systems
DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
Data Reduction Techniques for Instance-Based Learning from Human/Computer Interface Data
ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
Information-Theoretic Measures for Anomaly Detection
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
A sense of self for Unix processes
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Hi-index | 0.00 |
Current IDSs can be easily overwhelmed by the the amount of information they ought to analyse. By pre-processing the information, this paper aims both to alleviate the computational overhead involved in intrusion detection and to make IDSs scalable. Regardless whether it is a sequence of network packets or a sequence of system calls, the information an IDS analyses is often redundant in at least two respects: first, every entry in the sequence may contain spurious information; second, any sequence may contain redundant subsequences. By using Rough Sets we have identified key attributes for every entry eliminating spurious information, without missing chief details. Using n-gram theory we have identified the most redundant subsequences within a sequence, and then substituting them with a fresh tag, resulting in a sequence length reduction. To make an IDS scalable we have proposed to structure the IDS as a collection of sensors, each of which is specialised to a particular service, i.e. telnet, smtp, etc. To approach service selection, we suggest the use of Hidden Markov Models, trained to detect an specific service described by a family of n-grams. Our results are encouraging, we have obtained an average reduction factor of 12. Using the service discriminator we have also written a simple, yet effective, misuse IDS. The impact over detection and false alarm ratio using reduced sequences is negligible.