NATE

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach

Full text

Pdf (709 KB)

Source

New Security Paradigms Workshop archive
Proceedings of the 2001 workshop on New security paradigms table of contents

Cloudcroft, New Mexico

SESSION: Session 5: less is more table of contents

Pages: 89 - 96

Year of Publication: 2001

ISBN:1-58113-457-6

Authors

Carol Taylor	University of Idaho, Moscow, Idaho
Jim Alves-Foss	University of Idaho, Moscow, Idaho

Sponsor

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 6, Downloads (12 Months): 45, Citation Count: 9

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/508171.508186 What is a DOI?

ABSTRACT

A new approach to network intrusion detection is needed to solve the monitoring problems of high volume network data and the time constraints for Intrusion Detection System (IDS) management. Most current network IDS's have not been specifically designed for high speed traffic or low maintenance. We propose a solution to these problems which we call NATE, Network Analysis of Anomalous Traffic Events. Our approach features minimal network traffic measurement, an anomaly-based detection method, and a limited attack scope. NATE is similar to other lightweight approaches in its simplified design, but our approach, being anomaly based, should be more efficient in both operation and maintenance than other lightweight approaches. We present the method and perform an empirical test using MIT Lincoln Lab's data.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	J. Allen et al. State of the practice intrusion detection technologies. Carnegie Mellon, SEI, Tech Report, CMU/SEI-99-TR-028, ESC-99-028, January 2000.
	2	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji, Computer immunology, Communications of the ACM, v.40 n.10, p.88-96, Oct. 1997 [doi>10.1145/262793.262811]
	3	L. T. Heberlein, G. V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, and D. Wolber.A network security monitor. In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, April 1990.
	4	Steven A. Hofmeyr , Stephanie A. Forrest, Architecture for an Artificial Immune System, Evolutionary Computation, v.8 n.4, p.443-473, December 2000 [doi>10.1162/106365600568257]
	5	V. Jacobson, C. Leres, and S. McCanne. tcpdump. LBNL, University of California, June 1997, ftp://ftp.ee.lbl.gov/tcpdump.tar.Z.
	6	H. S. Javitz, and A. Valdes. The NIDES statistical component: description and justification. Tech. Report, Computer Science Lab., SRI-Int., Menlo Park, CA, March 1994.
	7	D. E. Johnson. Applied Multivariate Methods for Data Analysis. Brooks/Cole Publishing Co., 1998.
	8	L. Kaufman and P. J. Rousseeuw. Finding Groups in Data: An Introduction to Cluster Analysis. Wiley Series in Probability and Mathematical Statistics, John Wiley and Sons, Inc., 1990.
	9	K. Kendell. A database of computer attacks for the evaluation of intrusion detection systems. Masters Thesis, MIT, June 1999
	10	R. Lippmann and M. Zissman. Intrusion detection technical evaluation --- 1998 project summary. www.darpa.mit/ito.
	11	Peter G. Neumann , Phillip A. Porras, Experience with EMERALD to Date, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.73-80, April 09-12, 1999
	12	S. Northcutt, V. Irwin, B. Ralph. Shadow. Naval Surface Warfare Center Dahlgren Lab., 1998.
	13	V. Paxson. Experiences learned from Bro. login; The Usenix Assoc. Magazine, Sept. 1999, 21-22.
	14	Marcus J. Ranum , Kent Landfield , Michael T. Stolarchuk , Mark Sienkiewicz , Andrew Lambeth , Eric Wall, Implementing a Generalized Tool for Network Monitoring, Proceedings of the 11th Conference on Systems Administration, p.1-8, October 26-31, 1997
	15	M. Roesch. Snort --- lightweight intrusions detection for networks. www.clark.net/~roesch/security.html.
	16	D. Ruiu. Cautionary tales: stealth coordinated attack howto.www.nswc.navy.mil/ISSEC/CID/Stealth_Coordinated_Attack.html. 1999.
	17	SAS Institute. SAS/STAT Users' Guide, Version 6, Fourth Edition, Vol. 1, SAS Institute, 1990.
	18	R. L. Scheaffer, W. Mendenhall III and R. L. Ott. Elementary Survey Sampling. Wadsworth Publ. Co., 1996.
	19	S. E. Smaha. Haystack: an intrusion detection system. Proceedings IEEE Fourth Aerospace Computer Science Applications Conference, Orlando, FL, Dec. 1988.
	20	S. E. Smaha, T. Grance, D. M. Teal and D. Mensur. Dids --- motivation, architecture, and an early prtotype. Proceedings of 14th National Computer Security Conference, Washington, DC, Oct. 1991.
	21	Anil Somayaji , Steven Hofmeyr , Stephanie Forrest, Principles of a computer immune system, Proceedings of the 1997 workshop on New security paradigms, p.75-82, September 23-26, 1997, Langdale, Cumbria, United Kingdom [doi>10.1145/283699.283742]
	22	S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle. GrIDS --- a graph-based intrusion detection system for large networks. The 19th National Information Systems Security Conference, Oct. 1998.
	23	G. Vigna , R. A. Kemmerer, NetSTAT: A Network-Based Intrusion Detection Approach, Proceedings of the 14th Annual Computer Security Applications Conference, p.25, December 07-11, 1998

CITED BY 9

	Carol Taylor , Jim Alves-Foss, An empirical analysis of NATE: Network Analysis of Anomalous Traffic Events, Proceedings of the 2002 workshop on New security paradigms, September 23-26, 2002, Virginia Beach, Virginia
	R. Sekar , A. Gupta , J. Frullo , T. Shanbhag , A. Tiwari , H. Yang , S. Zhou, Specification-based anomaly detection: a new approach for detecting network intrusions, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA
	Dana Zhang , Christopher Leckie, An evaluation technique for network intrusion detection systems, Proceedings of the 1st international conference on Scalable information systems, p.23-es, May 30-June 01, 2006, Hong Kong
	Salvatore J. Stolfo , Shlomo Hershkop , Chia-Wei Hu , Wei-Jen Li , Olivier Nimeskern , Ke Wang, Behavior-based modeling and its application to Email analysis, ACM Transactions on Internet Technology (TOIT), v.6 n.2, p.187-221, May 2006
	Salvatore J. Stolfo , Frank Apap , Eleazar Eskin , Katherine Heller , Shlomo Hershkop , Andrew Honig , Krysta Svore, A comparative evaluation of two algorithms for Windows Registry Anomaly Detection, Journal of Computer Security, v.13 n.4, p.659-693, July 2005
	Nong Ye , Bashettihalli Harish , Toni Farley, Attack profiles to derive data observations, features, and characteristics of cyber attacks, Information-Knowledge-Systems Management, v.5 n.1, p.23-47, January 2005
	Mohamed Hamdi , Noureddine Boudriga, Detecting Denial-of-Service attacks using the wavelet transform, Computer Communications, v.30 n.16, p.3203-3213, November, 2007
	Harsha V. Madhyastha , Balachander Krishnamurthy, A generic language for application-specific flow sampling, ACM SIGCOMM Computer Communication Review, v.38 n.2, April 2008
	Ikkyun Kim , Daewon Kim , Byoungkoo Kim , Yangseo Choi , Seongyong Yoon , Jintae Oh , Jongsoo Jang, An architecture of unknown attack detection system against zero-day worm, Proceedings of the 8th conference on Applied computer scince, p.205-210, November 21-23, 2008, Venice, Italy