Introduction to algorithms
Artificial intelligence: a modern approach
Artificial intelligence: a modern approach
Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Network Intrusion Detection: An Analyst's Handbook
Network Intrusion Detection: An Analyst's Handbook
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Constructing attack scenarios through correlation of intrusion alerts
Proceedings of the 9th ACM conference on Computer and communications security
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Learning attack strategies from intrusion alerts
Proceedings of the 10th ACM conference on Computer and communications security
Bitmap algorithms for counting active flows on high speed links
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Techniques and tools for analyzing intrusion alerts
ACM Transactions on Information and System Security (TISSEC)
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Computer Communication Review
Distributed multi-intelligent agent framework for detection of stealthy probes
Design and application of hybrid intelligent systems
Hypothesizing and reasoning about attacks missed by intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
IDGraphs: Intrusion Detection and Analysis Using Stream Compositing
IEEE Computer Graphics and Applications
An evaluation technique for network intrusion detection systems
InfoScale '06 Proceedings of the 1st international conference on Scalable information systems
Is sampled data sufficient for anomaly detection?
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Bitmap algorithms for counting active flows on high-speed links
IEEE/ACM Transactions on Networking (TON)
Hybrid multi-agent framework for detection of stealthy probes
Applied Soft Computing
Reducing unwanted traffic in a backbone network
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An architecture for generating semantics-aware signatures
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
An overview of anomaly detection techniques: Existing solutions and latest technological trends
Computer Networks: The International Journal of Computer and Telecommunications Networking
A hybrid machine learning approach to network anomaly detection
Information Sciences: an International Journal
Weighting versus pruning in rule validation for detecting network and host anomalies
Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining
Forensic analysis of logs: Modeling and verification
Knowledge-Based Systems
Reversible sketches: enabling monitoring and analysis over high-speed data streams
IEEE/ACM Transactions on Networking (TON)
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
Rule generalisation in intrusion detection systems using SNORT
International Journal of Electronic Security and Digital Forensics
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Detector SherLOCK: Enhancing TRW with Bloom filters under memory and performance constraints
Computer Networks: The International Journal of Computer and Telecommunications Networking
Two alternatives for handling preferences in qualitative choice logic
Fuzzy Sets and Systems
A case study in testing a network security algorithm
Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Towards a taxonomy of network scanning techniques
Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology
Online Risk Assessment of Intrusion Scenarios Using D-S Evidence Theory
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Detecting low-profile scans in TCP anomaly event data
Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
Detecting network intrusions using signal processing with query-based sampling filter
EURASIP Journal on Advances in Signal Processing - Special issue on signal processing applications in network intrusion detection systems
Internet traffic behavior profiling for network security monitoring
IEEE/ACM Transactions on Networking (TON)
FDF: Frequency detection-based filtering of scanning worms
Computer Communications
A Formal Approach for the Forensic Analysis of Logs
Proceedings of the 2006 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the fifth SoMeT_06
Information fusion for anomaly detection with the dendritic cell algorithm
Information Fusion
Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts
Computer Communications
TCP portscan detection based on single packet flows and entropy
Proceedings of the 2nd International Conference on Interaction Sciences: Information Technology, Culture and Human
An intrusion response decision-making model based on hierarchical task network planning
Expert Systems with Applications: An International Journal
Evolving TCP/IP packets: a case study of port scans
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Analyzing intensive intrusion alerts via correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Real-time behaviour profiling for network monitoring
International Journal of Internet Protocol Technology
An attack classification mechanism based on multiple support vector machines
ICCSA'07 Proceedings of the 2007 international conference on Computational science and Its applications - Volume Part II
HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency
Computer Networks: The International Journal of Computer and Telecommunications Networking
Mining frequent patterns from network flows for monitoring network
Expert Systems with Applications: An International Journal
MitiBox: camouflage and deception for network scan mitigation
HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
Attack scenario recognition through heterogeneous event stream analysis
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
Demystifying service discovery: implementing an internet-wide scanner
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
A distributed and privacy-preserving method for network intrusion detection
OTM'10 Proceedings of the 2010 international conference on On the move to meaningful internet systems: Part II
Idle port scanning and non-interference analysis of network protocol stacks using model checking
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Fusing intrusion data for detection and containment
MILCOM'03 Proceedings of the 2003 IEEE conference on Military communications - Volume II
Network scan detection with LQS: a lightweight, quick and stateful algorithm
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Space-efficient tracking of persistent items in a massive data stream
Proceedings of the 5th ACM international conference on Distributed event-based system
Clustering and classification based anomaly detection
FSKD'06 Proceedings of the Third international conference on Fuzzy Systems and Knowledge Discovery
The feature selection and intrusion detection problems
ASIAN'04 Proceedings of the 9th Asian Computing Science conference on Advances in Computer Science: dedicated to Jean-Louis Lassez on the Occasion of His 5th Cycle Birthday
Fit a compact spread estimator in small high-speed memory
IEEE/ACM Transactions on Networking (TON)
A network activity classification schema and its application to scan detection
IEEE/ACM Transactions on Networking (TON)
An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Analyzing multiple logs for forensic evidence
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Networking Recon: Network reconnaissance
Network Security
Incident Response: Technological alternatives in incident response
Network Security
Intrusion Detection: Towards scalable intrusion detection
Network Security
Automatic network intrusion detection: Current techniques and open issues
Computers and Electrical Engineering
Revisiting network scanning detection using sequential hypothesis testing
Security and Communication Networks
Mobile Agent Based Network Defense System in Enterprise Network
International Journal of Handheld Computing Research
Information Systems Frontiers
Measurement and modeling of paging channel overloads on a cellular network
Computer Networks: The International Journal of Computer and Telecommunications Networking
Spreader classification based on optimal dynamic bit sharing
IEEE/ACM Transactions on Networking (TON)
A scalable network forensics mechanism for stealthy self-propagating attacks
Computer Communications
A systematic approach for detecting and clustering distributed cyber scanning
Computer Networks: The International Journal of Computer and Telecommunications Networking
Demystifying internet-wide service discovery
IEEE/ACM Transactions on Networking (TON)
Alert correlation: Severe attack prediction and controlling false alarm rate tradeoffs
Intelligent Data Analysis
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
Portscan detectors in network intrusion detection products are easy to evade. They classify a portscan as more than N distinct probes within M seconds from a single source. This paper begins with an analysis of the scan detection problem, and then presents Spice (Stealthy Probing and Intrusion Correlation Engine), a portscan detector that is effective against stealthy scans yet operationally practical. Our design maintains records of event likelihood, from which we approximate the anomalousness of a given packet. We use simulated annealing to cluster anomalous packets together into portscans using heuristics developed from real scans. Packets are kept around longer if they are more anomalous. This should enable us to detect all the scans detected by current techniques, plus many stealthy scans, with manageable false positives. We also discuss detection of other activity such as stealthy worms, and DDOS control networks.