Experimenting with an Intrusion Detection System for Encrypted Networks
International Journal of Business Intelligence and Data Mining
Improvement of protocol anomaly detection based on markov chain and its application
ISPA'05 Proceedings of the 2005 international conference on Parallel and Distributed Processing and Applications
Hi-index | 0.01 |
Intrusion Detection Systems (IDS) are responsible for monitoringand analyzing host or network activity to detect intrusionsin order to protect information from unauthorized accessor manipulation. There are two main approaches for intrusiondetection: signature-based and anomaly-based.Signature-based detection employs pattern matching to matchattack signatures with observed data making it ideal for detectingknown attacks. However, it cannot detect unknown attacksfor which there is no signature available. Anomaly-baseddetection uses machine-learning techniques to create a profileof normal system behavior and uses this profile to detectdeviations from the normal behavior. Although this techniqueis effective in detecting unknown attacks, it has adrawback of a high false alarm rate. In this paper, we describeour anomaly-based IDS designed for detecting malicioususe of cryptographic and application-level protocols.Our system has several unique characteristics and benefits,such as the ability to monitor cryptographic protocolsand application-level protocols embedded in encrypted sessions,a very lightweight monitoring process, and the abilityto react to protocol misuse by modifying protocol response directly.