ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Digital Library logoTake a look at the new version of this page: [ beta version ]. Tell us what you think.
Learning nonstationary models of normal network traffic for detecting novel attacks
Full text PdfPdf (1.12 MB)
Source International Conference on Knowledge Discovery and Data Mining archive
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining table of contents
Edmonton, Alberta, Canada
SESSION: Industry track papers table of contents
Pages: 376 - 385  
Year of Publication: 2002
ISBN:1-58113-567-X
Authors
Matthew V. Mahoney  Florida Institute of Technology, Melbourne, FL
Philip K. Chan  Florida Institute of Technology, Melbourne, FL
Sponsors
SIGKDD: ACM Special Interest Group on Knowledge Discovery in Data
SIGMOD: ACM Special Interest Group on Management of Data
: AAAI
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 13,   Downloads (12 Months): 83,   Citation Count: 27
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/775047.775102
What is a DOI?

ABSTRACT

Traditional intrusion detection systems (IDS) detect attacks by comparing current behavior to signatures of known attacks. One main drawback is the inability of detecting new attacks which do not have known signatures. In this paper we propose a learning algorithm that constructs models of normal behavior from attack-free network traffic. Behavior that deviates from the learned normal model signals possible novel attacks. Our IDS is unique in two respects. First, it is nonstationary, modeling probabilities based on the time since the last event rather than on average rate. This prevents alarm floods. Second, the IDS learns protocol vocabularies (at the data link through application layers) in order to detect unknown attacks that attempt to exploit implementation errors in poorly tested features of the target software. On the 1999 DARPA IDS evaluation data set [9], we detect 70 of 180 attacks (with 100 false alarms), about evenly divided between user behavioral anomalies (IP addresses and ports, as modeled by most other systems) and protocol anomalies. Because our methods are unconventional there is a significant non-overlap of our IDS with the original DARPA participants, which implies that they could be combined to increase coverage.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Anderson, Debra, Teresa F. Lunt, Harold Javitz, Ann Tamaru, Alfonso Valdes, "Detecting unusual program behavior using the statistical component of the Next-generation Intrusion Detection Expert System (NIDES)", Computer Science Laboratory SRI-CSL 95--06 May 1995. http://www.srl.sfi.com/papers/5/s/5sri/5sri.pdf
2
Timothy Bell , Ian H. Witten , John G. Cleary, Modeling for text compression, ACM Computing Surveys (CSUR), v.21 n.4, p.557-591, Dec. 1989  [doi>10.1145/76894.76896]
 
3
Barbará, D., N. Wu, S. Jajodia, "Detecting Novel Network Intrusions using Bayes Estimators", First SIAM International Conference on Data Mining, 2001, http://www.siam.org/meetings/sdm01/pdf/sdm01_29.pdf
 
4
Sally Floyd , Vern Paxson, Difficulties in simulating the internet, IEEE/ACM Transactions on Networking (TON), v.9 n.4, p.392-403, August 2001  [doi>10.1109/90.944338]
 
5
Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
 
6
Anup K. Ghosh , Aaron Schwartzbard , Michael Schatz, Learning Program Behavior Profiles for Intrusion Detection, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.51-62, April 09-12, 1999
 
7
M. Handley, C. Kreibich and V. Paxson, "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics", Proc. USENIX Security Symposium, 2001.
 
8
Kendall, Kristopher, "A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems", Masters Thesis, MIT, 1999.
 
9
Richard Lippmann , Joshua W. Haines , David J. Fried , Jonathan Korba , Kumar Das, The 1999 DARPA off-line intrusion detection evaluation, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.34 n.4, p.579-595, Oct. 2000  [doi>10.1016/S1389-1286(00)00139-0]
 
10
Mahoney, M., P. K. Chan, "PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic", Florida Tech. technical report 2001--04, http://cs.fit.edu/~tr/
 
11
Peter G. Neumann , Phillip A. Porras, Experience with EMERALD to Date, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.73-80, April 09-12, 1999
 
12
Paxson, Vern, "Bro: A System for Detecting Network Intruders in Real-Time", Lawrence Berkeley National Laboratory Proceedings, 7'th USENIX Security Symposium, Jan. 26--29, 1998, San Antonio TX, http://www.usenix.org/publications/library/proceedings/sec98/paxson.html
 
13
Vern Paxson , Sally Floyd, Wide area traffic: the failure of Poisson modeling, IEEE/ACM Transactions on Networking (TON), v.3 n.3, p.226-244, June 1995  [doi>10.1109/90.392383]
 
14
Ptacek, Thomas H., and Timothy N. Newsham, "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection", January, 1998, http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
 
15
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
 
16
Sasha/Beetle, "A Strict Anomaly Detection Model for IDS", Phrack 56(11), 2000, http://www.phrack.org
 
17
R. Sekar , M. Bendre , D. Dhurjati , P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.144, May 14-16, 2001
 
18
SPADE, Silicon Defense, http://www.silicondefense.com/software/spice/

CITED BY  27
M. Otey , S. Parthasarathy , A. Ghoting , G. Li , S. Narravula , D. Panda, Towards NIC-based intrusion detection, Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining, August 24-27, 2003, Washington, D.C.
Matthew V. Mahoney, Network traffic anomaly detection based on packet bytes, Proceedings of the 2003 ACM symposium on Applied computing, March 09-12, 2003, Melbourne, Florida
Nilesh Dalvi , Pedro Domingos , Mausam , Sumit Sanghai , Deepak Verma, Adversarial classification, Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining, August 22-25, 2004, Seattle, WA, USA
Angelos D. Keromytis , Janak Parekh , Philip N. Gross , Gail Kaiser , Vishal Misra , Jason Nieh , Dan Rubenstein , Sal Stolfo, A holistic approach to service survivability, Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security, p.11-22, October 31-31, 2003, Fairfax, VA
Keisuke Ishibashi , Tsuyoshi Toyono , Katsuyasu Toyama , Masahiro Ishino , Haruhiko Ohshima , Ichiro Mizukoshi, Detecting mass-mailing worm infected hosts by mining DNS traffic data, Proceeding of the 2005 ACM SIGCOMM workshop on Mining network data, August 26-26, 2005, Philadelphia, Pennsylvania, USA
Christopher Kruegel , Giovanni Vigna , William Robertson, A multi-model approach to the detection of web-based attacks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.717-738, 5 August 2005
Zhuowei Li , Amitabha Das, Analyzing and evaluating dynamics in stide performance for intrusion detection, Knowledge-Based Systems, v.19 n.7, p.576-591, November, 2006
Sebastian Elbaum , Satya Kanduri , Anneliese Andrews, Trace anomalies as precursors of field failures: an empirical study, Empirical Software Engineering, v.12 n.5, p.447-469, October 2007
Guizhen Yang, Computational aspects of mining maximal frequent patterns, Theoretical Computer Science, v.362 n.1, p.63-85, 11 October 2006
Kenneth L. Ingham , Anil Somayaji , John Burge , Stephanie Forrest, Learning DFA representations of HTTP for protecting web applications, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1239-1255, April, 2007
Marco Barreno , Blaine Nelson , Russell Sears , Anthony D. Joseph , J. D. Tygar, Can machine learning be secure?, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
Yihua Liao , V. Rao Vemuri , Alejandro Pasos, Adaptive anomaly detection with evolving connectionist systems, Journal of Network and Computer Applications, v.30 n.1, p.60-80, January 2007
Yang Li , Binxing Fang , Li Guo , You Chen, Network anomaly detection based on TCM-KNN algorithm, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
Animesh Patcha , Jung-Min Park, Network anomaly detection with incomplete audit data, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.13, p.3935-3955, September, 2007
Animesh Patcha , Jung-Min Park, An overview of anomaly detection techniques: Existing solutions and latest technological trends, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.12, p.3448-3470, August, 2007
Matthew Eric Otey , Amol Ghoting , Srinivasan Parthasarathy, Fast Distributed Outlier Detection in Mixed-Attribute Data Sets, Data Mining and Knowledge Discovery, v.12 n.2-3, p.203-228, May 2006
Yoohwan Kim , Wing Cheong Lau , Mooi Choo Chuah , H. Jonathan Chao, PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks, IEEE Transactions on Dependable and Secure Computing, v.3 n.2, p.141-155, April 2006
Yubao Liu , Jiarong Cai , Zhilan Huang , Jingwen Yu , Jian Yin, Fast detection of database system abuse behaviors based on data mining approach, Proceedings of the 2nd international conference on Scalable information systems, June 06-08, 2007, Suzhou, China
Yang Li , Li Guo , Zhi-Hong Tian , Tian-Bo Lu, A lightweight web server anomaly detection method based on transductive scheme and genetic algorithms, Computer Communications, v.31 n.17, p.4018-4025, November, 2008
Stefano Zanero, ULISSE, a network intrusion detection system, Proceedings of the 4th annual workshop on Cyber security and informaiton intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead, May 12-14, 2008, Oak Ridge, Tennessee
Marius Kloft , Ulf Brefeld , Patrick Düessel , Christian Gehl , Pavel Laskov, Automatic feature selection for anomaly detection, Proceedings of the 1st ACM workshop on Workshop on AISec, October 27-27, 2008, Alexandria, Virginia, USA
M. Ali Aydın , A. Halim Zaim , K. Gökhan Ceylan, A hybrid intrusion detection system design for computer network security, Computers and Electrical Engineering, v.35 n.3, p.517-526, May, 2009
Varun Chandola , Vipin Kumar, Summarization – compressing data into an informative representation, Knowledge and Information Systems, v.12 n.3, p.355-378, August 2007
Varun Chandola , Arindam Banerjee , Vipin Kumar, Anomaly detection: A survey, ACM Computing Surveys (CSUR), v.41 n.3, p.1-58, July 2009
Christopher Kruegel , Giovanni Vigna , William Robertson, A multi-model approach to the detection of web-based attacks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.717-738, 5 August 2005
Ciza Thomas , N. Balakrishnan, Improvement in intrusion detection with advances in sensor fusion, IEEE Transactions on Information Forensics and Security, v.4 n.3, p.542-551, September 2009
Ciza Thomas , N. Balakrishnan, Mathematical analysis of sensor fusion for intrusion detection systems, Proceedings of the First international conference on COMmunication Systems And NETworks, p.147-156, January 05-10, 2009, Bangalore, India

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  H. Information Systems
  H.2 DATABASE MANAGEMENT
      H.2.7 Database Administration
          Subjects: Security, integrity, and protection

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Unauthorized access (e.g., hacking, phreaking)


General Terms:
Experimentation, Performance, Security

Collaborative Colleagues:
Matthew V. Mahoney: colleagues
Philip K. Chan: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player