IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Why we don't know how to simulate the Internet
Proceedings of the 29th conference on Winter simulation
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
ACM Transactions on Information and System Security (TISSEC)
Characteristics of network traffic flow anomalies
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Specification-based anomaly detection: a new approach for detecting network intrusions
Proceedings of the 9th ACM conference on Computer and communications security
Benchmarking Anomaly-Based Detection Systems
DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
An empirical analysis of NATE: Network Analysis of Anomalous Traffic Events
Proceedings of the 2002 workshop on New security paradigms
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Learning Rules for Anomaly Detection of Hostile Network Traffic
ICDM '03 Proceedings of the Third IEEE International Conference on Data Mining
Bootstrapping a data mining intrusion detection system
Proceedings of the 2003 ACM symposium on Applied computing
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Undermining an anomaly-based intrusion detection system using common exploits
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Probabilistic techniques for intrusion detection based on computer audit data
IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans
Dependable security: testing network intrusion detection systems
HotDep'07 Proceedings of the 3rd workshop on on Hot Topics in System Dependability
NetADHICT: a tool for understanding network traffic
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
On the Limits of Payload-Oblivious Network Attack Detection
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Using static analysis for Ajax intrusion detection
Proceedings of the 18th international conference on World wide web
An integrated approach to detection of fast and slow scanning worms
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
The user is not the enemy: fighting malware by tracking user intentions
Proceedings of the 2008 workshop on New security paradigms
Self-healing: science, engineering, and fiction
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
Detection of slow malicious worms using multi-sensor data fusion
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Mining frequent patterns from network flows for monitoring network
Expert Systems with Applications: An International Journal
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Toward credible evaluation of anomaly-based intrusion-detection methods
IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews
KIDS: keyed intrusion detection system
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning
WOOT'11 Proceedings of the 5th USENIX conference on Offensive technologies
Cross-Domain collaborative anomaly detection: so far yet so close
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Turtles all the way down: a clean-slate, ground-up, first-principles approach to secure systems
Proceedings of the 2012 workshop on New security paradigms
A close look on n-grams in intrusion detection: anomaly detection vs. classification
Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Proceedings of the 2013 workshop on New security paradigms workshop
| Hi-index | 0.00 |
In 1987, Dorothy Denning published the seminal paper on anomaly detection as applied to intrusion detection on a single system. Her paper sparked a new paradigm in intrusion detection research with the notion that malicious behavior could be distinguished from normal system use. Since that time, a great deal of anomaly detection research based on Denning's original premise has occurred. However, Denning's assumptions about anomalies that originate on a single host have been applied essentially unaltered to networks. In this paper we question the application of Denning's work to network based anomaly detection, along with other assumptions commonly made in network-based detection research. We examine the assumptions underlying selected studies of network anomaly detection and discuss these assumptions in the context of the results from studies of network traffic patterns. The purpose of questioning the old paradigm of anomaly detection as a strategy for network intrusion detection is to reconfirm the paradigm as sound or begin the process of replacing it with a new paradigm in light of changes in the operating environment.