ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Service specific anomaly detection for network intrusion detection
Full text PdfPdf (719 KB)
Source Symposium on Applied Computing archive
Proceedings of the 2002 ACM symposium on Applied computing table of contents
Madrid, Spain
SESSION: Computer security table of contents
Pages: 201 - 208  
Year of Publication: 2002
ISBN:1-58113-445-2
Authors
Christopher Krügel  Technical University Vienna, A-1040 Vienna, Austria
Thomas Toth  Technical University Vienna, A-1040 Vienna, Austria
Engin Kirda  Technical University Vienna, A-1040 Vienna, Austria
Sponsor
SIGAPP: ACM Special Interest Group on Applied Computing
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 10,   Downloads (12 Months): 134,   Citation Count: 22
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/508791.508835
What is a DOI?

ABSTRACT

The constant increase of attacks against networks and their resources (as recently shown by the CodeRed worm) causes a necessity to protect these valuable assets. Firewalls are now a common installation to repel intrusion attempts in the first place. Intrusion detection systems (IDS), which try to detect malicious activities instead of preventing them, offer additional protection when the first defense perimeter has been penetrated. ID systems attempt to pin down attacks by comparing collected data to predefined signatures known to be malicious (signature based) or to a model of legal behavior (anomaly based).Anomaly based systems have the advantage of being able to detect previously unknown attacks but they suffer from the difficulty to build a solid model of acceptable behavior and the high number of alarms caused by unusual but authorized activities. We present an approach that utilizes application specific knowledge of the network services that should be protected. This information helps to extend current, simple network traffic models to form an application model that allows to detect malicious content hidden in single network packets. We describe the features of our proposed model and present experimental data that underlines the efficiency of our systems.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
arachNIDS: advanced reference archive of current heuristics for Network Intrusion Detection Systems. http://www.whitehats.com/ids, 2001.
 
2
M. Bykova, S. Ostermann, and B. Tjaden. Detecting network intrusions via a statistical analysis of network packet characteristics. In Proceedings of the 33rd Southeastern Symposium on System Theory, 2001.
 
3
João B. D. Cabrera , B. Ravichandran , Raman K. Mehra, Statistical Traffic Modeling for Network Intrusion Detection, Proceedings of the 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, p.466, August 29-September 01, 2000
 
4
CERT Advisory CA-1999-14 Multiple vulnerabilities in BIND. http://www.cert.org/advisories/CA-1999-14.html, 1999.
 
5
CERT Advisory CA-2001-02 Multiple vulnerabilities in BIND. http://www.cert.org/advisories/CA-2001-02.html, 2001.
 
6
Dorothy Denning. An intrusion-detection model. In IEEE Symposium on Security and Privacy, pages 118-131, Oakland, USA, 1986.
 
7
Laurent Eschenauer. Imsafe. http://imsafe.sourceforge.net, 2001.
 
8
Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
 
9
A. Ghosh and A. Schwartzbard. A study in using neural networks for anomaly and misuse detection. In USENIX Security Symposium, 1999.
 
10
MIT Lincoln Labs. DARPA Intrusion Detection Evaluation. http://www.ll.mit.edu/IST/ideval, 1998.
 
11
Wenke Lee, Sal Stolfo, and Kui Mok. A data mining framework for building intrusion detection models. In In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1999.
 
12
Peter G. Neumann , Phillip A. Porras, Experience with EMERALD to Date, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.73-80, April 09-12, 1999
 
13
Phillip A. Porras and Peter G. Neumann. Emerald: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th NIS Security Conference, October 1997.
 
14
Phillip A. Porras and Alfonso Valdes. Live traffic analysis of TCP/IP gateways. In Internet Society's Networks and Distributed Systems Security Symposium, March 1998.
 
15
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
 
16
Dug Song. Fragrouter. http://www.monkey.org/~dugsong/, 2000.
 
17
Stuart Staniford, James A. Hoagland, and Joseph M. , McAlerney. Practical automated detection of stealthy portscans. In Proceedings of the IDS Workshop of the 7th Computer and Communications Security Conference, Athens, 2000.
 
18
G. Vigna , R. A. Kemmerer, NetSTAT: A Network-Based Intrusion Detection Approach, Proceedings of the 14th Annual Computer Security Applications Conference, p.25, December 07-11, 1998

CITED BY  22
Christopher Kruegel , Giovanni Vigna, Anomaly detection of web-based attacks, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
Juan M. Estévez-Tapiador , Pedro García-Teodoro , Jesús E. Díaz-Verdejo, Measuring normality in HTTP traffic for anomaly-based intrusion detection, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.45 n.2, p.175-193, 5 June 2004
Kevin Borders , Atul Prakash, Web tap: detecting covert web traffic, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
Christopher Kruegel , Giovanni Vigna , William Robertson, A multi-model approach to the detection of web-based attacks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.717-738, 5 August 2005
Shai Rubin , Mihai Christodorescu , Vinod Ganapathy , Jonathon T. Giffin , Louis Kruger , Hao Wang , Nicholas Kidd, An auctioning reputation system based on anomaly, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
Shai Rubin , Somesh Jha , Barton P. Miller, Protomatching network traffic for high throughputnetwork intrusion detection, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
Prahlad Fogla , Wenke Lee, Evading network anomaly detection systems: formal reasoning and practical techniques, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
Fu-Hau Hsu , Fanglu Guo , Tzi-cker Chiueh, Scalable network-based buffer overflow attack detection, Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems, December 03-05, 2006, San Jose, California, USA
Tao Peng , Christopher Leckie , Kotagiri Ramamohanarao, Information sharing for distributed intrusion detection systems, Journal of Network and Computer Applications, v.30 n.3, p.877-899, August, 2007
Animesh Patcha , Jung-Min Park, An overview of anomaly detection techniques: Existing solutions and latest technological trends, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.12, p.3448-3470, August, 2007
Nong Ye , Bashettihalli Harish , Toni Farley, Attack profiles to derive data observations, features, and characteristics of cyber attacks, Information-Knowledge-Systems Management, v.5 n.1, p.23-47, January 2005
Taieb Znati , James Amadei , Daniel R. Pazehoski , Scott Sweeny, Design and Analysis of an Adaptive, Global Strategy for Detecting and Mitigating Distributed DoS Attacks in GRID Environments, Proceedings of the 39th annual Symposium on Simulation, p.2-9, April 02-06, 2006
Gaurav Tandon , Philip K. Chan, Weighting versus pruning in rule validation for detecting network and host anomalies, Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining, August 12-15, 2007, San Jose, California, USA
Taieb Znati , James Amadei , Daniel R. Pazehoski , Scott Sweeny, On the Design and Performance of an Adaptive, Global Strategy for Detecting and Mitigating Distributed DoS Attacks in GRID and Collaborative Workflow Environments, Simulation, v.83 n.3, p.291-303, March 2007
Mohamed Nassar , Saverio Niccolini , Radu State , Thilo Ewald, Holistic VoIP intrusion detection and prevention system, Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications, July 19-20, 2007, New York City, New York
Tak-Chung Fu , Chung-Leung Lui, Agent-oriented network intrusion detection system using data mining approaches, International Journal of Agent-Oriented Software Engineering, v.1 n.2, p.158-174, July 2007
K. P. Adhiya , S. R. Kolhe , Sandip S. Patil, Tracking and identification of suspicious and abnormal behaviors using supervised machine learning technique, Proceedings of the International Conference on Advances in Computing, Communication and Control, January 23-24, 2009, Mumbai, India
Ikkyun Kim , Daewon Kim , Byoungkoo Kim , Yangseo Choi , Seongyong Yoon , Jintae Oh , Jongsoo Jang, An architecture of unknown attack detection system against zero-day worm, Proceedings of the 8th conference on Applied computer scince, p.205-210, November 21-23, 2008, Venice, Italy
Muhai Li , Ming Li, A method of run-time detecting DDos attacks, Proceedings of the 12th WSEAS international conference on Computers, p.393-398, July 23-25, 2008, Heraklion, Greece
Roberto Perdisci , Davide Ariu , Prahlad Fogla , Giorgio Giacinto , Wenke Lee, McPAD: A multiple classifier system for accurate payload-based anomaly detection, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.53 n.6, p.864-881, April, 2009
Makoto Shimamura , Miyuki Hanaoka , Kenji Kono, Filtering False Positives Based on Server-Side Behaviors, IEICE - Transactions on Information and Systems, v.E91-D n.2, p.264-276, February 2008
Varun Chandola , Arindam Banerjee , Vipin Kumar, Anomaly detection: A survey, ACM Computing Surveys (CSUR), v.41 n.3, p.1-58, July 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network monitoring

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Unauthorized access (e.g., hacking, phreaking); Invasive software (e.g., viruses, worms, Trojan horses)


General Terms:
Algorithms, Design, Performance, Security


Keywords:
anomaly eetection, intrusion eetection, network security

Collaborative Colleagues:
Christopher Krügel: colleagues
Thomas Toth: colleagues
Engin Kirda: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player