The 1999 DARPA off-line intrusion detection evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Difficulties in simulating the internet
IEEE/ACM Transactions on Networking (TON)
Learning nonstationary models of normal network traffic for detecting novel attacks
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Network traffic anomaly detection based on packet bytes
Proceedings of the 2003 ACM symposium on Applied computing
Utilizing Statistical Characteristics of N-grams for Intrusion Detection
CW '03 Proceedings of the 2003 International Conference on Cyberworlds
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
A sense of self for Unix processes
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Hi-index | 0.00 |
Network intrusion detection systems often rely on matching patterns that are learned from known attacks. While this method is reliable and rarely produces false alarms, it has the disadvantage that it cannot detect novel attacks. An alternative approach is to learn a model of normal traffic and report deviations, but these anomaly models are typically restricted to modeling IP addresses and ports. We describe an anomaly detection system which models all the fields of network, transport layer and payload of a packet at the byte level, by giving more weight to the most anomalous attributes. We investigated all the attributes and assigned weights to the attributes based on their anomalous behavior. We detect 144 of 185 attacks in the DARPA off-line intrusion detection evaluation data set [1] at 10 false alarms per day (total 100 false alarms), after training on one week of attack-free traffic. We investigate the performance of the system when attack free training data is not available.