A Serial Combination of Anomaly and Misuse IDSes Applied to HTTP Traffic

Authors:
Elvis Tombini;Herve Debar;Ludovic Me;Mireille Ducasse
Affiliations:
France Télécom, Caen, France;France Télécom, Caen, France;Supélec, Rennes, France;IRISA/INSA, Rennes, France
Venue:
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Year:
2004

Citing 0
Cited 15

An anomaly-driven reverse proxy for web applications

Proceedings of the 2006 ACM symposium on Applied computing
Learning DFA representations of HTTP for protecting web applications

Computer Networks: The International Journal of Computer and Telecommunications Networking
An overview of anomaly detection techniques: Existing solutions and latest technological trends

Computer Networks: The International Journal of Computer and Telecommunications Networking
Detecting Shrew HTTP Flood Attacks for Flash Crowds

ICCS '07 Proceedings of the 7th international conference on Computational Science, Part I: ICCS 2007
A Multi-Sensor Model to Improve Automated Attack Detection

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems

IEICE - Transactions on Information and Systems
Reducing errors in the anomaly-based detection of web-based attacks through the combined analysis of web requests and SQL queries

Journal of Computer Security - Best papers of the Sec Track at the 2006 ACM Symposium
Detecting Network Anomalies Using CUSUM and EM Clustering

ISICA '09 Proceedings of the 4th International Symposium on Advances in Computation and Intelligence
Splash: ad-hoc querying of data and statistical models

Proceedings of the 13th International Conference on Extending Database Technology
Comparing anomaly detection techniques for HTTP

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Hybrid detection of application layer attacks using Markov models for normality and attacks

ICICS'10 Proceedings of the 12th international conference on Information and communications security
COTS diversity based intrusion detection and application to web servers

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Intrusion detection using disagreement-based semi-supervised learning: detection enhancement and false alarm reduction

CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security
A distance sum-based hybrid method for intrusion detection

Applied Intelligence
Alert correlation: Severe attack prediction and controlling false alarm rate tradeoffs

Intelligent Data Analysis

Quantified Score

Hi-index	0.00

Visualization

Abstract

Combining an "anomaly" and a "misuse" IDSes offers the advantage of separting the monitored events between normal, intrusive or unqualified classes (ie not known as an attack, but not recognize as safe either). In this article, we provide a framework to systematically reason about the combination of anomaly and misuse components.This framework applied to web servers lead us to propose a serial architecture, using a drastic anomaly component with a sensitive misuse component. This architecture provides the operator with better qualification of the detection results, raises lower amount of false alarms and unqualified events.