A brief observation-centric analysis on anomaly-based intrusion detection

Authors:
Zonghua Zhang;Hong Shen
Affiliations:
Graduate School of Information Science, Japan Advanced Institute of Science and Technology, Ishikwa, Japan;Graduate School of Information Science, Japan Advanced Institute of Science and Technology, Ishikwa, Japan
Venue:
ISPEC'05 Proceedings of the First international conference on Information Security Practice and Experience
Year:
2005

Citing 13
Cited 0

Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Modeling heterogeneous network traffic in wavelet domain

IEEE/ACM Transactions on Networking (TON)
Anomaly Detection in Embedded Systems

IEEE Transactions on Computers - Special issue on fault-tolerant embedded systems
Measuring system normality

ACM Transactions on Computer Systems (TOCS)
Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse

IEEE Transactions on Software Engineering
Clustering Data Streams: Theory and Practice

IEEE Transactions on Knowledge and Data Engineering
Comparing Data Streams Using Hamming Norms (How to Zero In)

IEEE Transactions on Knowledge and Data Engineering
"Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Information-Theoretic Measures for Anomaly Detection

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Optimality of universal Bayesian sequence prediction for general loss and alphabet

The Journal of Machine Learning Research
Intrusion detection using sequences of system calls

Journal of Computer Security
A sense of self for Unix processes

SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Probabilistic techniques for intrusion detection based on computer audit data

IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper is focused on the analysis of the anomaly-based intrusion detectors' operational capabilities and drawbacks, from the perspective of their operating environments, instead of the schemes per se. Based on the similarity with the induction problem, anomaly detection is cast in a statistical framework for describing their general anticipated behaviors. Several key problems and corresponding potential solutions about the normality characterization for the observable subjects from hosts and networks are addressed respectively, together with the case studies of several representative detection models. Anomaly detectors' evaluation are also discussed briefly based on some existing achievements. Careful analysis shows that the fundamental understanding of the operating environments is the essential stage in the process of establishing an effective anomaly detection model, which therefore worth insightful exploration, especially when we face the dilemma between the detection performance and the computational cost.