Skip to main content
SpringerLink
Log in

Detection Approaches

  • Chapter
  • First Online:
Network Intrusion Detection and Prevention

Part of the book series: Advances in Information Security ((ADIS,volume 47))

Abstract

The basic principle of intrusion detection is based on the assumption that intrusive activities are noticeably different from normal ones and thus are detectable [16]. Many intrusion detection approaches have been suggested in the literature since Anderson’s seminal report [5]. Traditionally these approaches are classified into three categories: misuse detection, anomaly detection and specification-based detection. Anomaly based intrusion detection approaches are dedicated to establishing a model of the data flow that is monitored under normal conditions without the presence of any intrusive procedures. In contrast, misuse detection approaches aim to encode knowledge about patterns in the data flow that are known to correspond to intrusive procedures in form of specific signatures. In specification based detection approaches, security experts predefine the allowed system behaviors and thus events that do not match the specifications are labeled as attacks. In this chapter we discuss these different approaches in detail and summarize some representative examples in each category.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 159.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. T. Abbes, A. Bouhoula, and M. Rusinowitch, Protocol analysis in intrusion detection using decision tree, Proceedings of International Conference on Information Technology: Coding and Computing (ITCC), vol. 1, 2004.

    Google Scholar 

  2. A.A.E. Ahmed and I. Traore, Detecting computer intrusions using behavioral biometrics, Third Annual Conference on Privacy, Security and Trust (PST), 2005.

    Google Scholar 

  3. D. Anderson, T. Frivold, and A. Valdes, Next-generation intrusion detection expert system (NIDES): A summary, SRI International, Computer Science Laboratory, 1995.

    Google Scholar 

  4. D. Anderson, T.F. Lunt, H. Javitz, A. Tamaru, and A. Valdes, Detecting unusual program behavior using the statistical component of the Next-generation Intrusion Detection Expert System (NIDES), SRI International, Computer Science Laboratory, 1995.

    Google Scholar 

  5. J.P. Anderson, Computer security threat monitoring and surveillance, (1980).

    Google Scholar 

  6. S. Antonatos, K.G. Anagnostakis, and E.P. Markatos, Generating realistic workloads for network intrusion detection systems, ACM SIGSOFT Software Engineering Notes 29 (2004), no. 1, 207–215.

    Article  Google Scholar 

  7. S. Axelsson, Intrusion detection systems: A survey and taxonomy, Tech. Report 99–15, Chalmers University of Technology, Department of Computer Engineering, 2000.

    Google Scholar 

  8. B. Balajinath and SV Raghavan, Intrusion detection through learning behavior model, Computer Communications 24 (2001), no. 12, 1202–1212.

    Article  Google Scholar 

  9. P. Barford and D. Plonka, Characteristics of network traffic flow anomalies, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, ACM New York, NY, USA, 2001, pp. 69–73.

    Google Scholar 

  10. Paul Barford, Jeffery Kline, David Plonka, and Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the second ACM SIGCOMM Workshop on Internet measurment (Marseille, France), SIGCOMM: ACM Special Interest Group on Data Communication, ACM Press New York, NY, USA, 2002, pp. 71–82.

    Chapter  Google Scholar 

  11. M.M. Breunig, H.P. Kriegel, R.T. Ng, and J. Sander, LOF: identifying density-based local outliers, ACM SIGMOD Record 29 (2000), no. 2, 93–104.

    Article  Google Scholar 

  12. S.M. Bridges and R.B. Vaughn, Fuzzy data mining and genetic algorithms applied to intrusion detection, Proceedings of the Twenty-third National Information Systems Security Conference, National Institute of Standards and Technology, October 2000.

    Google Scholar 

  13. A. Chittur, Model generation for an intrusion detection system using genetic algorithms, High School Honors Thesis, Ossining High School in cooperation with Columbia University (2001).

    Google Scholar 

  14. M. Crosbie and E. H. Spafford, Applying genetic programming to intrusion detection, Proceedings of the 1995 AAAI Fall Symposium on Genetic Programming, November 1995.

    Google Scholar 

  15. H. Debar, M. Becker, and D. Siboni, A neural network component for an intrusion detection system, Proceedings of the 1992 IEEE Symposium on Security and Privacy, 1992, pp. 240–250.

    Google Scholar 

  16. DE Denning, An intrusion-detection model, IEEE Transactions on software engineering (1987), 222–232.

    Google Scholar 

  17. O. Depren, M. Topallar, E. Anarim, and M.K. Ciliz, An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks, Expert systems with Applications 29 (2005), no. 4, 713–722.

    Article  Google Scholar 

  18. P. D'haeseleer, S. Forrest, and P. Helman, An immunological approach to change detection: algorithms, analysis, and implications, IEEE Symposium on Security and Privacy, IEEE COMPUTER SOCIETY, 1996, pp. 110–119.

    Google Scholar 

  19. S.M. Emran and N. Ye, Robustness of canberra metric in computer intrusion detection, Proceedings of the IEEE Workshop on Information Assurance and Security, West Point, NY, USA, 2001, pp. 80–84.

    Google Scholar 

  20. E. Eskin, Anomaly detection over noisy data using learned probability distributions, In Proceedings of the Seventeenth International Conference on Machine Learning (ICML'00), 2000, pp. 255–262.

    Google Scholar 

  21. E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, A geometric framework for unsupervised anomaly detection, Applications of Data Mining in Computer Security (2002), 77–101.

    Google Scholar 

  22. S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff, A sense of self for unix processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy (Los Alamitos, CA), IEEE Computer Society Press, 1996, p. 120128.

    Google Scholar 

  23. S. Forrest, S.A. Hofmeyr, and A. Somayaji, Computer immunology, Communications of the ACM 40 (1997), no. 10, 88–96.

    Article  Google Scholar 

  24. S. Forrest, AS Perelson, L. Allen, and R. Cherukuri, Self-nonself discrimination in a computer, Proceedings of the Symposium on Research in Security and Privacy, 1994, pp. 202–212.

    Google Scholar 

  25. AK Ghosh, J. Wanken, and F. Charron, Detecting anomalous and unknown intrusions against programs, Proceedings of the 14th Annual Computer Security Applications Conference (ACSAC'98), 1998, pp. 259–267.

    Google Scholar 

  26. J. Gómez, D. Dasgupta, O. Nasraoui, and F. Gonzalez, Complete expression trees for evolving fuzzy classifier systems with genetic algorithms, Proceedings of the North American Fuzzy Information Processing Society Conference (NAFIPS-FLINTS), 2002, pp. 469–474.

    Google Scholar 

  27. M. Dacier H. Debar and A. Wespi, A revised taxonomy for intrusion-detection systems, Tech. report, IBM Research Report, 1999.

    Google Scholar 

  28. LT Heberlein, GV Dias, KN Levitt, B. Mukherjee, J. Wood, and D. Wolber, A network security monitor, Proceedings of the Symposium on Research in Security and Privacy (Oakland, CA), 1990, pp. 296–304.

    Google Scholar 

  29. J. Hochberg, K. Jackson, C. Stallings, JF McClary, D. DuBois, and J. Ford, NADIR: An automated system for detecting network intrusion and misuse, Computers and Security 12 (1993), no. 3, 235–248.

    Article  Google Scholar 

  30. K. Hwang, M. Cai, Y. Chen, and M. Qin, Hybrid intrusion detection with weighted signature generation over anomalous internet episodes, IEEE Transactions on Dependable and Secure Computing (2007), 41–55.

    Google Scholar 

  31. K. Ilgun, USTAT: A real-time intrusion detection system for UNIX, Proceedings of the IEEE Symposium on Security and Privacy, 1993, pp. 16–28.

    Google Scholar 

  32. K. Ilgun, R.A. Kemmerer, and P.A. Porras, State transition analysis: A rule-based intrusion detection approach, IEEE transactions on software engineering 21 (1995), no. 3, 181–199.

    Article  Google Scholar 

  33. KA Jackson, DH DuBois, and CA Stallings, An expert system application for network intrusion detection, Proceedings of the National Computer Security Conference, vol. 1, 1991.

    Google Scholar 

  34. Harold S. Javitz, A. Valdez, T. Lunt, and M. Tyson, Next generation intrusion detection expert system (nides), Tech. Report SRI Technical Report A016, SRI International, March 1993.

    Google Scholar 

  35. A. Jones and R. Sielken, Computer system intrusion detection: A survey, Tech. report, Department of Computer Science, University of Virginia, Thornton Hall, Charlottesville, VA, September 2000.

    Google Scholar 

  36. C. Ko, Logic induction of valid behavior specifications for intrusion detection, Proceedings of IEEE Symposium on Security and Privacy, 2000, pp. 142–153.

    Google Scholar 

  37. Calvin Ko, Paul Brutch, Jeff Rowe, Guy Tsafnat, and Karl Levitt, System health and intrusion monitoring using a hierarchy of constraints, Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, (RAID 2001) (Davis, CA, USA) (W, L. M Lee, and A. Wespi, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2001, pp. 190–203.

    Google Scholar 

  38. Calvin Ko, Manfred Ruschitzka, and Karl Levitt, Execution monitoring of security-critical programs in distributed systems: A specification-based approach, Proceedings of IEEE Symposium on Security and Privacy, May 1997, pp. 175–187.

    Google Scholar 

  39. Christopher Kruegel and Giovanni Vigna, Anomaly detection of web-based attacks, Proceedings of the 10th ACM conference on Computer and communication security (Washington D.C., USA), ACM Press, October 2003, pp. 251–261.

    Google Scholar 

  40. S. Kumar, Classification and detection of computer intrusions, Ph.D. thesis, Purdue University, 1995.

    Google Scholar 

  41. S. Kumar and E. Spafford, A pattern matching model for misuse intrusion detection, Proceedings of the 17th National Computer Security Conference, 1994.

    Google Scholar 

  42. S. Kumar and E. Spafford, A software architecture to support misuse intrusion detection, Proceedings of the 18th National Information Security Conference, 1995.

    Google Scholar 

  43. Sandeep Kumar and Eugene Spafford, An application of pattern matching in intrusion detection, Tech. Report 94–013, Purdue University, Department of Computer Sciences, March 1994.

    Google Scholar 

  44. T. Lane, Machine learning techniques for the computer security domain of anomaly detection, Ph.D. thesis, Purdue University, August 2000.

    Google Scholar 

  45. L. Lankewicz and M. Benard, Real-Time Anomaly Detection Using a Nonparametric Pattern Recognition Approach, Proceedings of the 7th Annual Computer Security Applications Conference (ACSAC'91), 1991.

    Google Scholar 

  46. J. Lee, S. Moskovics, and L. Silacci, A Survey of Intrusion Detection Analysis Methods, 1999.

    Google Scholar 

  47. W. Lee, S. J. Stolfo, and K. W. Mok, A data mining framework for building intrusion detection models, Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 120–132.

    Google Scholar 

  48. W. Lee and S.J. Stolfo, Data mining approaches for intrusion detection, Proceedings of the 7th USENIX Security Symposium, 1998.

    Google Scholar 

  49. W. Lee, S.J. Stolfo, and K.W. Mok, Mining audit data to build intrusion detection models, Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining, AAAI Press, 1998, pp. 66–72.

    Google Scholar 

  50. Z. Lei and A.A. Ghorbani, Network intrusion detection using an improved competitive learning neural network, Proceedings of the Second Annual Conference on Communication Networks and Services Research (Fredericton, NB, Canada), 2004.

    Google Scholar 

  51. U. Lindqvist and PA Porras, Detecting computer and network misuse through the production-basedexpert system toolset (P-BEST), Proceedings of the IEEE Symposium on Security and Privacy, 1999, pp. 146–161.

    Google Scholar 

  52. W. Lu and I. Traore, Unsupervised Anomaly Detection Using an Evolutionary Extension of K-means Algorithm, International Journal on Information and Computer Security, Inderscience Publisher 2 (May, 2008), 107–139.

    Article  Google Scholar 

  53. T. Lunt, R. Jagannathan, R. Lee, S. Listgarten, D. Eclwards, P. Neumann, H. Javitz, and A. Valdes, IDES: The Enhanced Prototype. A Real-Time Intrusion Detection System, Tech. report, Technical Report SRI Project 4 185–010, SRI-CSL-88, 1988.

    Google Scholar 

  54. T. F. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, P. G. Neumann H. S. Javitz, A. Valdes, and T. D. Garvey, A real time intrusion detection expert system (ides), Tech. report, SRI International, Menlo Park, CA, February 1992.

    Google Scholar 

  55. Teresa F. Lunt, Detecting intruders in computer systems, Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.

    Google Scholar 

  56. J. McHugh, Intrusion and intrusion detection, International Journal of Information Security 1 (2001), no. 1, 14–35.

    MATH  Google Scholar 

  57. Ludovic Me, Gassata, a genetic algorithm as an alternative tool for security audit trails analysis, Proceedings of the 1st International Symposium on Recent Advances in Intrusion Detection (RAID'98) (Louvain-la-Neuve, Belgium), September 1998.

    Google Scholar 

  58. P. G. Neumann and A. Ph. Porras, Experience with emerald to date, Proceedings of First USENIX Workshop on Intrusion Detection and Network Monitoring (Santa Clara, California), IEEE Computer Society Press, April 1999, pp. 73–80.

    Google Scholar 

  59. S. Peddabachigari, A. Abraham, C. Grosan, and J. Thomas, Modeling intrusion detection system using hybrid intelligent systems, Journal of Network and Computer Applications 30 (2007), no. 1, 114–132.

    Article  Google Scholar 

  60. J. Peng, C. Feng, and J. Rozenblit, A hybrid intrusion detection and visualization system, Proceedings of the 13th Annual IEEE International Symposium and Workshop on Engineering of Computer Based Systems (ECBS'06), 2006, pp. 505–506.

    Google Scholar 

  61. A. Ph. Porras and P. G. Neumann, Emerald: Event monitoring enabling responses to anomalous live disturbances, Proceedings of the National Information Systems Security Conference, 1997, pp. 353–365.

    Google Scholar 

  62. L. Portnoy, E. Eskin, and S.J. Stolfo, Intrusion detection with unlabeled data using clustering, Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA'01), Philadelphia, PA, 2001, pp. 76–105.

    Google Scholar 

  63. M. Sabhnani and G. Serpen, Application of machine learning algorithms to KDD intrusion detection dataset within misuse detection context, International Conference on Machine Learning, Models, Technologies and Applications, 2003, pp. 209–215.

    Google Scholar 

  64. B. Scholkopf, J.C. Platt, J. Shawe-Taylor, A.J. Smola, and R.C. Williamson, Estimating the support of a high-dimensional distribution, Neural computation 13 (2001), no. 7, 1443–1471.

    Article  Google Scholar 

  65. M. Sebring, E. Shellhouse, M. Hanna, and R. Whitehurst, Expert systems in intrusion detection: A case study, Proceedings of the 11th National Computer Security Conference, 1988, pp. 74–81.

    Google Scholar 

  66. R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou, Specification-based anomaly detection: a new approach for detecting network intrusions, Proceedings of the 9th ACM conference on Computer and communication security (CCS'02) (Washington D.C., USA), ACM Press, November 2002, pp. 265–274.

    Chapter  Google Scholar 

  67. T. Shon and J. Moon, A hybrid machine learning approach to network anomaly detection, Information Sciences 177 (2007), no. 18, 3799–3821.

    Article  Google Scholar 

  68. M.L. Shyu, S.C. Chen, K. Sarinnapakorn, and L.W. Chang, A Novel Anomaly Detection Scheme Based on Principal Component Classifier.

    Google Scholar 

  69. V.A. Siris and F. Papagalou, Application of anomaly detection algorithms for detecting SYN flooding attacks, Computer Communications 29 (2006), no. 9, 1433–1442.

    Article  Google Scholar 

  70. S.E. Smaha, Haystack: An intrusion detection system, Aerospace Computer Security Applications Conference, 1988., Fourth, 1988, pp. 37–44.

    Google Scholar 

  71. S. Staniford, J. Hoagland, and J. McAlerney, Practical automated detection of stealthy portscans, Journal of Computer Security 10 (2002), no. 1 and 2, 105–126.

    Google Scholar 

  72. A. Sundaram, An introduction to intrusion detection, Crossroads 2 (1996), no. 4, 3–7.

    Article  Google Scholar 

  73. HS Teng, K. Chen, and SC Lu, Adaptive real-time anomaly detection using inductively generatedsequential patterns, Proceedings of the Symposium on Research in Security and Privacy (Oakland, CA), 1990, pp. 278–284.

    Google Scholar 

  74. J.L. Thames, R. Abler, and A. Saad, Hybrid intelligent systems for network security, Proceedings of the 44th annual Southeast regional conference, ACM New York, NY, USA, 2006, pp. 286–289.

    Google Scholar 

  75. Marina Thottan and Chuanyi Ji, Anomaly detection in ip networks, IEEE Transactions on Signal Processing 51 (2003), no. 8, 148–166.

    Article  Google Scholar 

  76. E. Tombini, H. Debar, L. Me, M. Ducasse, F. Telecom, and F. Caen, A serial combination of anomaly and misuse IDSes applied to HTTP traffic, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), 2004, pp. 428–437.

    Google Scholar 

  77. Prem Uppuluri and R. Sekar, Experiences with specification-based intrusion detection, Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, (RAID 2001) (Davis, CA, USA) (W, L. M Lee, and A. Wespi, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2001, pp. 172–189.

    Google Scholar 

  78. H. S. Vaccaro and G. E. Liepins, Detection of anomalous computer session activity, Proceedings of the Symposium on Research in Security and Privacy (Oakland, CA), May 1989, pp. 280–289.

    Google Scholar 

  79. A. Valdes and K. Skinner, Adaptive, model-based monitoring for cyber attack detection, Lecture Notes in Computer Science (2000), 80–92.

    Google Scholar 

  80. G. Vigna, S.T. Eckmann, and R.A. Kemmerer, The stat tool suite, Proceedings of DISCEX 2000 (Hilton Head, SC), IEEE Press, January 2000, pp. 46–55.

    Google Scholar 

  81. G. Vigna and RA Kemmerer, NetSTAT: A network-based intrusion detection approach, Proceedings of the 14th Annual Computer Security Applications Conference (ACSAC'98), 1998, pp. 25–34.

    Google Scholar 

  82. G. Vigna and R.A. Kemmerer, NetSTAT: A network-based intrusion detection system, Journal of Computer Security 7 (1999), no. 1, 37–71.

    Google Scholar 

  83. G. Vigna, W. Robertson, V. Kher, and R.A. Kemmerer, A stateful intrusion detection system for world-wide web servers, Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003) (Las Vegas, NV), December 2003, pp. 34–43.

    Google Scholar 

  84. G. Vigna, F. Valeur, and R.A. Kemmerer, Designing and implementing a family of intrusion detection systems, Proceedings of the European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2003) (Helsinki, Finland), September 2003.

    Google Scholar 

  85. C. Warrender, S. Forrest, and B. Pearlmutter, Detecting intrusions using system calls: alternative data models, Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 133–145.

    Google Scholar 

  86. C. Xiang and S.M. Lim, Design of multiple-level hybrid classifier for intrusion detection system, Proceedings of the 2005 IEEE Workshop on Machine Learning for Signal Processing, 2005, pp. 117–122.

    Google Scholar 

  87. A.A. Ghorbani Y. Guan and N. Belacel, Y-means : A clustering method for intrusion detection, IEEE Canadian Conference on Electrical and Computer Engineering, Proceedings, 2003.

    Google Scholar 

  88. K. Yamanishi, J.I. Takeuchi, G. Williams, and P. Milne, On-line unsupervised outlier detection using finite mixtures with discounting learning algorithms, Data Mining and Knowledge Discovery 8 (2004), no. 3, 275–300.

    Article  MathSciNet  Google Scholar 

  89. B. Yu, E. Byres, and C. Howey, Monitoring Controller's” DNA Sequence” For System Security, ISA Emerging Technologies Conference, Instrumentation Systems and Automation Society, 2001.

    Google Scholar 

  90. J. Zhang and M. Zulkernine, A hybrid network intrusion detection technique using random forests, The First International Conference on Availability, Reliability and Security (ARES'06), 2006, pp. 262–269.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of New Brunswick, Fredericton, NB, E3B 5A3, Canada

    Ali A. Ghorbani (Faculty in Computer Science), Wei Lu (Faculty in Computer Science) & Mahbod Tavallaee (Faculty in Computer Science)

Authors
  1. Ali A. Ghorbani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wei Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mahbod Tavallaee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ali A. Ghorbani .

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag US

About this chapter

Cite this chapter

Ghorbani, A.A., Lu, W., Tavallaee, M. (2010). Detection Approaches. In: Network Intrusion Detection and Prevention. Advances in Information Security, vol 47. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-88771-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-88771-5_2

  • Published:

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-88770-8

  • Online ISBN: 978-0-387-88771-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation