Abstract
The basic principle of intrusion detection is based on the assumption that intrusive activities are noticeably different from normal ones and thus are detectable [16]. Many intrusion detection approaches have been suggested in the literature since Anderson’s seminal report [5]. Traditionally these approaches are classified into three categories: misuse detection, anomaly detection and specification-based detection. Anomaly based intrusion detection approaches are dedicated to establishing a model of the data flow that is monitored under normal conditions without the presence of any intrusive procedures. In contrast, misuse detection approaches aim to encode knowledge about patterns in the data flow that are known to correspond to intrusive procedures in form of specific signatures. In specification based detection approaches, security experts predefine the allowed system behaviors and thus events that do not match the specifications are labeled as attacks. In this chapter we discuss these different approaches in detail and summarize some representative examples in each category.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
T. Abbes, A. Bouhoula, and M. Rusinowitch, Protocol analysis in intrusion detection using decision tree, Proceedings of International Conference on Information Technology: Coding and Computing (ITCC), vol. 1, 2004.
A.A.E. Ahmed and I. Traore, Detecting computer intrusions using behavioral biometrics, Third Annual Conference on Privacy, Security and Trust (PST), 2005.
D. Anderson, T. Frivold, and A. Valdes, Next-generation intrusion detection expert system (NIDES): A summary, SRI International, Computer Science Laboratory, 1995.
D. Anderson, T.F. Lunt, H. Javitz, A. Tamaru, and A. Valdes, Detecting unusual program behavior using the statistical component of the Next-generation Intrusion Detection Expert System (NIDES), SRI International, Computer Science Laboratory, 1995.
J.P. Anderson, Computer security threat monitoring and surveillance, (1980).
S. Antonatos, K.G. Anagnostakis, and E.P. Markatos, Generating realistic workloads for network intrusion detection systems, ACM SIGSOFT Software Engineering Notes 29 (2004), no. 1, 207–215.
S. Axelsson, Intrusion detection systems: A survey and taxonomy, Tech. Report 99–15, Chalmers University of Technology, Department of Computer Engineering, 2000.
B. Balajinath and SV Raghavan, Intrusion detection through learning behavior model, Computer Communications 24 (2001), no. 12, 1202–1212.
P. Barford and D. Plonka, Characteristics of network traffic flow anomalies, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, ACM New York, NY, USA, 2001, pp. 69–73.
Paul Barford, Jeffery Kline, David Plonka, and Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the second ACM SIGCOMM Workshop on Internet measurment (Marseille, France), SIGCOMM: ACM Special Interest Group on Data Communication, ACM Press New York, NY, USA, 2002, pp. 71–82.
M.M. Breunig, H.P. Kriegel, R.T. Ng, and J. Sander, LOF: identifying density-based local outliers, ACM SIGMOD Record 29 (2000), no. 2, 93–104.
S.M. Bridges and R.B. Vaughn, Fuzzy data mining and genetic algorithms applied to intrusion detection, Proceedings of the Twenty-third National Information Systems Security Conference, National Institute of Standards and Technology, October 2000.
A. Chittur, Model generation for an intrusion detection system using genetic algorithms, High School Honors Thesis, Ossining High School in cooperation with Columbia University (2001).
M. Crosbie and E. H. Spafford, Applying genetic programming to intrusion detection, Proceedings of the 1995 AAAI Fall Symposium on Genetic Programming, November 1995.
H. Debar, M. Becker, and D. Siboni, A neural network component for an intrusion detection system, Proceedings of the 1992 IEEE Symposium on Security and Privacy, 1992, pp. 240–250.
DE Denning, An intrusion-detection model, IEEE Transactions on software engineering (1987), 222–232.
O. Depren, M. Topallar, E. Anarim, and M.K. Ciliz, An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks, Expert systems with Applications 29 (2005), no. 4, 713–722.
P. D'haeseleer, S. Forrest, and P. Helman, An immunological approach to change detection: algorithms, analysis, and implications, IEEE Symposium on Security and Privacy, IEEE COMPUTER SOCIETY, 1996, pp. 110–119.
S.M. Emran and N. Ye, Robustness of canberra metric in computer intrusion detection, Proceedings of the IEEE Workshop on Information Assurance and Security, West Point, NY, USA, 2001, pp. 80–84.
E. Eskin, Anomaly detection over noisy data using learned probability distributions, In Proceedings of the Seventeenth International Conference on Machine Learning (ICML'00), 2000, pp. 255–262.
E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, A geometric framework for unsupervised anomaly detection, Applications of Data Mining in Computer Security (2002), 77–101.
S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff, A sense of self for unix processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy (Los Alamitos, CA), IEEE Computer Society Press, 1996, p. 120128.
S. Forrest, S.A. Hofmeyr, and A. Somayaji, Computer immunology, Communications of the ACM 40 (1997), no. 10, 88–96.
S. Forrest, AS Perelson, L. Allen, and R. Cherukuri, Self-nonself discrimination in a computer, Proceedings of the Symposium on Research in Security and Privacy, 1994, pp. 202–212.
AK Ghosh, J. Wanken, and F. Charron, Detecting anomalous and unknown intrusions against programs, Proceedings of the 14th Annual Computer Security Applications Conference (ACSAC'98), 1998, pp. 259–267.
J. Gómez, D. Dasgupta, O. Nasraoui, and F. Gonzalez, Complete expression trees for evolving fuzzy classifier systems with genetic algorithms, Proceedings of the North American Fuzzy Information Processing Society Conference (NAFIPS-FLINTS), 2002, pp. 469–474.
M. Dacier H. Debar and A. Wespi, A revised taxonomy for intrusion-detection systems, Tech. report, IBM Research Report, 1999.
LT Heberlein, GV Dias, KN Levitt, B. Mukherjee, J. Wood, and D. Wolber, A network security monitor, Proceedings of the Symposium on Research in Security and Privacy (Oakland, CA), 1990, pp. 296–304.
J. Hochberg, K. Jackson, C. Stallings, JF McClary, D. DuBois, and J. Ford, NADIR: An automated system for detecting network intrusion and misuse, Computers and Security 12 (1993), no. 3, 235–248.
K. Hwang, M. Cai, Y. Chen, and M. Qin, Hybrid intrusion detection with weighted signature generation over anomalous internet episodes, IEEE Transactions on Dependable and Secure Computing (2007), 41–55.
K. Ilgun, USTAT: A real-time intrusion detection system for UNIX, Proceedings of the IEEE Symposium on Security and Privacy, 1993, pp. 16–28.
K. Ilgun, R.A. Kemmerer, and P.A. Porras, State transition analysis: A rule-based intrusion detection approach, IEEE transactions on software engineering 21 (1995), no. 3, 181–199.
KA Jackson, DH DuBois, and CA Stallings, An expert system application for network intrusion detection, Proceedings of the National Computer Security Conference, vol. 1, 1991.
Harold S. Javitz, A. Valdez, T. Lunt, and M. Tyson, Next generation intrusion detection expert system (nides), Tech. Report SRI Technical Report A016, SRI International, March 1993.
A. Jones and R. Sielken, Computer system intrusion detection: A survey, Tech. report, Department of Computer Science, University of Virginia, Thornton Hall, Charlottesville, VA, September 2000.
C. Ko, Logic induction of valid behavior specifications for intrusion detection, Proceedings of IEEE Symposium on Security and Privacy, 2000, pp. 142–153.
Calvin Ko, Paul Brutch, Jeff Rowe, Guy Tsafnat, and Karl Levitt, System health and intrusion monitoring using a hierarchy of constraints, Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, (RAID 2001) (Davis, CA, USA) (W, L. M Lee, and A. Wespi, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2001, pp. 190–203.
Calvin Ko, Manfred Ruschitzka, and Karl Levitt, Execution monitoring of security-critical programs in distributed systems: A specification-based approach, Proceedings of IEEE Symposium on Security and Privacy, May 1997, pp. 175–187.
Christopher Kruegel and Giovanni Vigna, Anomaly detection of web-based attacks, Proceedings of the 10th ACM conference on Computer and communication security (Washington D.C., USA), ACM Press, October 2003, pp. 251–261.
S. Kumar, Classification and detection of computer intrusions, Ph.D. thesis, Purdue University, 1995.
S. Kumar and E. Spafford, A pattern matching model for misuse intrusion detection, Proceedings of the 17th National Computer Security Conference, 1994.
S. Kumar and E. Spafford, A software architecture to support misuse intrusion detection, Proceedings of the 18th National Information Security Conference, 1995.
Sandeep Kumar and Eugene Spafford, An application of pattern matching in intrusion detection, Tech. Report 94–013, Purdue University, Department of Computer Sciences, March 1994.
T. Lane, Machine learning techniques for the computer security domain of anomaly detection, Ph.D. thesis, Purdue University, August 2000.
L. Lankewicz and M. Benard, Real-Time Anomaly Detection Using a Nonparametric Pattern Recognition Approach, Proceedings of the 7th Annual Computer Security Applications Conference (ACSAC'91), 1991.
J. Lee, S. Moskovics, and L. Silacci, A Survey of Intrusion Detection Analysis Methods, 1999.
W. Lee, S. J. Stolfo, and K. W. Mok, A data mining framework for building intrusion detection models, Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 120–132.
W. Lee and S.J. Stolfo, Data mining approaches for intrusion detection, Proceedings of the 7th USENIX Security Symposium, 1998.
W. Lee, S.J. Stolfo, and K.W. Mok, Mining audit data to build intrusion detection models, Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining, AAAI Press, 1998, pp. 66–72.
Z. Lei and A.A. Ghorbani, Network intrusion detection using an improved competitive learning neural network, Proceedings of the Second Annual Conference on Communication Networks and Services Research (Fredericton, NB, Canada), 2004.
U. Lindqvist and PA Porras, Detecting computer and network misuse through the production-basedexpert system toolset (P-BEST), Proceedings of the IEEE Symposium on Security and Privacy, 1999, pp. 146–161.
W. Lu and I. Traore, Unsupervised Anomaly Detection Using an Evolutionary Extension of K-means Algorithm, International Journal on Information and Computer Security, Inderscience Publisher 2 (May, 2008), 107–139.
T. Lunt, R. Jagannathan, R. Lee, S. Listgarten, D. Eclwards, P. Neumann, H. Javitz, and A. Valdes, IDES: The Enhanced Prototype. A Real-Time Intrusion Detection System, Tech. report, Technical Report SRI Project 4 185–010, SRI-CSL-88, 1988.
T. F. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, P. G. Neumann H. S. Javitz, A. Valdes, and T. D. Garvey, A real time intrusion detection expert system (ides), Tech. report, SRI International, Menlo Park, CA, February 1992.
Teresa F. Lunt, Detecting intruders in computer systems, Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.
J. McHugh, Intrusion and intrusion detection, International Journal of Information Security 1 (2001), no. 1, 14–35.
Ludovic Me, Gassata, a genetic algorithm as an alternative tool for security audit trails analysis, Proceedings of the 1st International Symposium on Recent Advances in Intrusion Detection (RAID'98) (Louvain-la-Neuve, Belgium), September 1998.
P. G. Neumann and A. Ph. Porras, Experience with emerald to date, Proceedings of First USENIX Workshop on Intrusion Detection and Network Monitoring (Santa Clara, California), IEEE Computer Society Press, April 1999, pp. 73–80.
S. Peddabachigari, A. Abraham, C. Grosan, and J. Thomas, Modeling intrusion detection system using hybrid intelligent systems, Journal of Network and Computer Applications 30 (2007), no. 1, 114–132.
J. Peng, C. Feng, and J. Rozenblit, A hybrid intrusion detection and visualization system, Proceedings of the 13th Annual IEEE International Symposium and Workshop on Engineering of Computer Based Systems (ECBS'06), 2006, pp. 505–506.
A. Ph. Porras and P. G. Neumann, Emerald: Event monitoring enabling responses to anomalous live disturbances, Proceedings of the National Information Systems Security Conference, 1997, pp. 353–365.
L. Portnoy, E. Eskin, and S.J. Stolfo, Intrusion detection with unlabeled data using clustering, Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA'01), Philadelphia, PA, 2001, pp. 76–105.
M. Sabhnani and G. Serpen, Application of machine learning algorithms to KDD intrusion detection dataset within misuse detection context, International Conference on Machine Learning, Models, Technologies and Applications, 2003, pp. 209–215.
B. Scholkopf, J.C. Platt, J. Shawe-Taylor, A.J. Smola, and R.C. Williamson, Estimating the support of a high-dimensional distribution, Neural computation 13 (2001), no. 7, 1443–1471.
M. Sebring, E. Shellhouse, M. Hanna, and R. Whitehurst, Expert systems in intrusion detection: A case study, Proceedings of the 11th National Computer Security Conference, 1988, pp. 74–81.
R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou, Specification-based anomaly detection: a new approach for detecting network intrusions, Proceedings of the 9th ACM conference on Computer and communication security (CCS'02) (Washington D.C., USA), ACM Press, November 2002, pp. 265–274.
T. Shon and J. Moon, A hybrid machine learning approach to network anomaly detection, Information Sciences 177 (2007), no. 18, 3799–3821.
M.L. Shyu, S.C. Chen, K. Sarinnapakorn, and L.W. Chang, A Novel Anomaly Detection Scheme Based on Principal Component Classifier.
V.A. Siris and F. Papagalou, Application of anomaly detection algorithms for detecting SYN flooding attacks, Computer Communications 29 (2006), no. 9, 1433–1442.
S.E. Smaha, Haystack: An intrusion detection system, Aerospace Computer Security Applications Conference, 1988., Fourth, 1988, pp. 37–44.
S. Staniford, J. Hoagland, and J. McAlerney, Practical automated detection of stealthy portscans, Journal of Computer Security 10 (2002), no. 1 and 2, 105–126.
A. Sundaram, An introduction to intrusion detection, Crossroads 2 (1996), no. 4, 3–7.
HS Teng, K. Chen, and SC Lu, Adaptive real-time anomaly detection using inductively generatedsequential patterns, Proceedings of the Symposium on Research in Security and Privacy (Oakland, CA), 1990, pp. 278–284.
J.L. Thames, R. Abler, and A. Saad, Hybrid intelligent systems for network security, Proceedings of the 44th annual Southeast regional conference, ACM New York, NY, USA, 2006, pp. 286–289.
Marina Thottan and Chuanyi Ji, Anomaly detection in ip networks, IEEE Transactions on Signal Processing 51 (2003), no. 8, 148–166.
E. Tombini, H. Debar, L. Me, M. Ducasse, F. Telecom, and F. Caen, A serial combination of anomaly and misuse IDSes applied to HTTP traffic, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), 2004, pp. 428–437.
Prem Uppuluri and R. Sekar, Experiences with specification-based intrusion detection, Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, (RAID 2001) (Davis, CA, USA) (W, L. M Lee, and A. Wespi, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2001, pp. 172–189.
H. S. Vaccaro and G. E. Liepins, Detection of anomalous computer session activity, Proceedings of the Symposium on Research in Security and Privacy (Oakland, CA), May 1989, pp. 280–289.
A. Valdes and K. Skinner, Adaptive, model-based monitoring for cyber attack detection, Lecture Notes in Computer Science (2000), 80–92.
G. Vigna, S.T. Eckmann, and R.A. Kemmerer, The stat tool suite, Proceedings of DISCEX 2000 (Hilton Head, SC), IEEE Press, January 2000, pp. 46–55.
G. Vigna and RA Kemmerer, NetSTAT: A network-based intrusion detection approach, Proceedings of the 14th Annual Computer Security Applications Conference (ACSAC'98), 1998, pp. 25–34.
G. Vigna and R.A. Kemmerer, NetSTAT: A network-based intrusion detection system, Journal of Computer Security 7 (1999), no. 1, 37–71.
G. Vigna, W. Robertson, V. Kher, and R.A. Kemmerer, A stateful intrusion detection system for world-wide web servers, Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003) (Las Vegas, NV), December 2003, pp. 34–43.
G. Vigna, F. Valeur, and R.A. Kemmerer, Designing and implementing a family of intrusion detection systems, Proceedings of the European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2003) (Helsinki, Finland), September 2003.
C. Warrender, S. Forrest, and B. Pearlmutter, Detecting intrusions using system calls: alternative data models, Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 133–145.
C. Xiang and S.M. Lim, Design of multiple-level hybrid classifier for intrusion detection system, Proceedings of the 2005 IEEE Workshop on Machine Learning for Signal Processing, 2005, pp. 117–122.
A.A. Ghorbani Y. Guan and N. Belacel, Y-means : A clustering method for intrusion detection, IEEE Canadian Conference on Electrical and Computer Engineering, Proceedings, 2003.
K. Yamanishi, J.I. Takeuchi, G. Williams, and P. Milne, On-line unsupervised outlier detection using finite mixtures with discounting learning algorithms, Data Mining and Knowledge Discovery 8 (2004), no. 3, 275–300.
B. Yu, E. Byres, and C. Howey, Monitoring Controller's” DNA Sequence” For System Security, ISA Emerging Technologies Conference, Instrumentation Systems and Automation Society, 2001.
J. Zhang and M. Zulkernine, A hybrid network intrusion detection technique using random forests, The First International Conference on Availability, Reliability and Security (ARES'06), 2006, pp. 262–269.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2010 Springer-Verlag US
About this chapter
Cite this chapter
Ghorbani, A.A., Lu, W., Tavallaee, M. (2010). Detection Approaches. In: Network Intrusion Detection and Prevention. Advances in Information Security, vol 47. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-88771-5_2
Download citation
DOI: https://doi.org/10.1007/978-0-387-88771-5_2
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-88770-8
Online ISBN: 978-0-387-88771-5
eBook Packages: Computer ScienceComputer Science (R0)