IEEE Transactions on Software Engineering - Special issue on computer security and privacy
NADIR: an automated system for detecting network intrusion and misuse
Computers and Security
Communications of the ACM
A high-performance network intrusion detection system
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach
Proceedings of the 2001 workshop on New security paradigms
Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation
RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Learning Program Behavior Profiles for Intrusion Detection
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
NetSTAT: A Network-Based Intrusion Detection Approach
ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Synthesizing fast intrusion prevention/detection systems from high-level specifications
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Data mining approaches for intrusion detection
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Epidemic profiles and defense of scale-free networks
Proceedings of the 2003 ACM workshop on Rapid malcode
Application of Maximum Entropy Principle to Software Failure Prediction
COMPSAC '04 Proceedings of the 28th Annual International Computer Software and Applications Conference - Volume 01
LAD: Localization Anomaly Detection forWireless Sensor Networks
IPDPS '05 Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Papers - Volume 01
Real-time data attack isolation for commercial database applications
Journal of Network and Computer Applications
A dynamic data mining technique for intrusion detection systems
Proceedings of the 43rd annual Southeast regional conference - Volume 2
Proceedings of the 4th ACM workshop on Recurring malcode
Evading network anomaly detection systems: formal reasoning and practical techniques
Proceedings of the 13th ACM conference on Computer and communications security
Factor-analysis based anomaly detection and clustering
Decision Support Systems
Analyzing and evaluating dynamics in stide performance for intrusion detection
Knowledge-Based Systems
Intrusion detection aware component-based systems: A specification-based framework
Journal of Systems and Software
Adaptive real-time anomaly detection with incremental clustering
Information Security Tech. Report
Challenging the anomaly detection paradigm: a provocative discussion
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Approximate autoregressive modeling for network attack detection
Journal of Computer Security - Privacy, Security and Trust (PST) Technologies: Evolution and Challenges
LIDF: Layered intrusion detection framework for ad-hoc networks
Ad Hoc Networks
Network intrusion detection using genetic algorithm to find best DNA signature
WSEAS TRANSACTIONS on SYSTEMS
IP Packet Size Entropy-Based Scheme for Detection of DoS/DDoS Attacks
IEICE - Transactions on Information and Systems
Evaluation of detection algorithms for MAC layer misbehavior: theory and experiments
IEEE/ACM Transactions on Networking (TON)
Intrusion Detection System for Denial-of-Service flooding attacks in SIP communication networks
International Journal of Security and Networks
Effective DDoS Attacks Detection Using Generalized Entropy Metric
ICA3PP '09 Proceedings of the 9th International Conference on Algorithms and Architectures for Parallel Processing
A notation and representation for describing and evolving correlation patterns
ASC '07 Proceedings of The Eleventh IASTED International Conference on Artificial Intelligence and Soft Computing
A cascade architecture for DoS attacks detection based on the wavelet transform
Journal of Computer Security
Using an Evolutionary Neural Network for web intrusion detection
AIA '08 Proceedings of the 26th IASTED International Conference on Artificial Intelligence and Applications
Collaborative architecture for distributed intrusion detection system
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
PAKDD'07 Proceedings of the 11th Pacific-Asia conference on Advances in knowledge discovery and data mining
A hybrid, stateful and cross-protocol intrusion detection system for converged applications
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
A distributed multi-approach intrusion detection system for web services
Proceedings of the 3rd international conference on Security of information and networks
Toward credible evaluation of anomaly-based intrusion-detection methods
IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews
OverCourt: DDoS mitigation through credit-based traffic segregation and path migration
Computer Communications
KIDS: keyed intrusion detection system
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
A queue model to detect DDos attacks
CTS'05 Proceedings of the 2005 international conference on Collaborative technologies and systems
A specification based intrusion detection framework for mobile phones
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
A differentiated one-class classification method with applications to intrusion detection
Expert Systems with Applications: An International Journal
Redesign and implementation of evaluation dataset for intrusion detection system
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
SoIDPS: sensor objects-based intrusion detection and prevention system and its implementation
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
On random-inspection-based intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Enforcing security with behavioral fingerprinting
Proceedings of the 7th International Conference on Network and Services Management
iTrust'05 Proceedings of the Third international conference on Trust Management
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Anomaly detection methods in wired networks: a survey and taxonomy
Computer Communications
International Journal of Communication Systems
A possibilistic approach to intrusion detection under imperfect logging protocol
Proceedings of the 6th International Conference on Security of Information and Networks
Discovery of emergent malicious campaigns in cellular networks
Proceedings of the 29th Annual Computer Security Applications Conference
Cross-domain privacy-preserving cooperative firewall optimization
IEEE/ACM Transactions on Networking (TON)
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.00 |
Unlike signature or misuse based intrusion detection techniques, anomaly detection is capable of detecting novel attacks. However, the use of anomaly detection in practice is hampered by a high rate of false alarms. Specification-based techniques have been shown to produce a low rate of false alarms, but are not as effective as anomaly detection in detecting novel attacks, especially when it comes to network probing and denial-of-service attacks. This paper presents a new approach that combines specification-based and anomaly-based intrusion detection, mitigating the weaknesses of the two approaches while magnifying their strengths. Our approach begins with state-machine specifications of network protocols, and augments these state machines with information about statistics that need to be maintained to detect anomalies. We present a specification language in which all of this information can be captured in a succinct manner. We demonstrate the effectiveness of the approach on the 1999 Lincoln Labs intrusion detection evaluation data, where we are able to detect all of the probing and denial-of-service attacks with a low rate of false alarms (less than 10 per day). Whereas feature selection was a crucial step that required a great deal of expertise and insight in the case of previous anomaly detection approaches, we show that the use of protocol specifications in our approach simplifies this problem. Moreover, the machine learning component of our approach is robust enough to operate without human supervision, and fast enough that no sampling techniques need to be employed. As further evidence of effectiveness, we present results of applying our approach to detect stealthy email viruses in an intranet environment.