Article

Service specific anomaly detection for network intrusion detection

Authors:

Christopher Krügel,

Engin KirdaAuthors Info & Claims

SAC '02: Proceedings of the 2002 ACM symposium on Applied computing

Pages 201 - 208

https://doi.org/10.1145/508791.508835

Published: 11 March 2002 Publication History

Abstract

The constant increase of attacks against networks and their resources (as recently shown by the CodeRed worm) causes a necessity to protect these valuable assets. Firewalls are now a common installation to repel intrusion attempts in the first place. Intrusion detection systems (IDS), which try to detect malicious activities instead of preventing them, offer additional protection when the first defense perimeter has been penetrated. ID systems attempt to pin down attacks by comparing collected data to predefined signatures known to be malicious (signature based) or to a model of legal behavior (anomaly based).Anomaly based systems have the advantage of being able to detect previously unknown attacks but they suffer from the difficulty to build a solid model of acceptable behavior and the high number of alarms caused by unusual but authorized activities. We present an approach that utilizes application specific knowledge of the network services that should be protected. This information helps to extend current, simple network traffic models to form an application model that allows to detect malicious content hidden in single network packets. We describe the features of our proposed model and present experimental data that underlines the efficiency of our systems.

References

[1]

arachNIDS: advanced reference archive of current heuristics for Network Intrusion Detection Systems. http://www.whitehats.com/ids, 2001.

[2]

M. Bykova, S. Ostermann, and B. Tjaden. Detecting network intrusions via a statistical analysis of network packet characteristics. In Proceedings of the 33rd Southeastern Symposium on System Theory, 2001.

[3]

J. B. D. Caberera, B. Ravichandran, and R. K. Mehra. Statistical traffic modeling for network intrusion detection. In Proceedings. 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, 2000.

Digital Library

[4]

CERT Advisory CA-1999-14 Multiple vulnerabilities in BIND. http://www.cert.org/advisories/CA-1999-14.html, 1999.

[5]

CERT Advisory CA-2001-02 Multiple vulnerabilities in BIND. http://www.cert.org/advisories/CA-2001-02.html, 2001.

[6]

Dorothy Denning. An intrusion-detection model. In IEEE Symposium on Security and Privacy, pages 118-131, Oakland, USA, 1986.

[7]

Laurent Eschenauer. Imsafe. http://imsafe.sourceforge.net, 2001.

[8]

Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for Unix processes. In Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120-128. IEEE Computer Society Press, 1996.

Digital Library

[9]

A. Ghosh and A. Schwartzbard. A study in using neural networks for anomaly and misuse detection. In USENIX Security Symposium, 1999.

Digital Library

[10]

MIT Lincoln Labs. DARPA Intrusion Detection Evaluation. http://www.ll.mit.edu/IST/ideval, 1998.

[11]

Wenke Lee, Sal Stolfo, and Kui Mok. A data mining framework for building intrusion detection models. In In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1999.

[12]

Peter G. Neumann and Phillip A. Porras. Experience with emerald to date. In 1st USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73-80, Santa Clara, California, USA, April 1999.

Digital Library

[13]

Phillip A. Porras and Peter G. Neumann. Emerald: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th NIS Security Conference, October 1997.

[14]

Phillip A. Porras and Alfonso Valdes. Live traffic analysis of TCP/IP gateways. In Internet Society's Networks and Distributed Systems Security Symposium, March 1998.

[15]

Martin Roesch. Snort - lightweight intrusion detection for networks. In USENIX Lisa 99, 1999.

Digital Library

[16]

Dug Song. Fragrouter. http://www.monkey.org/~dugsong/, 2000.

[17]

Stuart Staniford, James A. Hoagland, and Joseph M., McAlerney. Practical automated detection of stealthy portscans. In Proceedings of the IDS Workshop of the 7th Computer and Communications Security Conference, Athens, 2000.

[18]

G. Vigna and R. Kemmerer. Netstat: A network-based intrusion detection system. In Proceedings of the 14th Annual Computer Security Applications Conference, December 1998.

Digital Library

Cited By

Wang YSun JYang FLu X(2024)Data Interaction Security Monitoring Technology Based on Behavior Graph RepresentationProceedings of the 2024 3rd International Conference on Cryptography, Network Security and Communication Technology10.1145/3673277.3673283(30-34)Online publication date: 19-Jan-2024
https://dl.acm.org/doi/10.1145/3673277.3673283
Sivakumar GAmsaveni KR CSrirengaNachiyar VVaitheki SMarichamy P(2024)Predictive Modeling for Network Anomaly Detection Using Machine Learning2024 2nd International Conference on Sustainable Computing and Smart Systems (ICSCSS)10.1109/ICSCSS60660.2024.10625631(965-970)Online publication date: 10-Jul-2024
https://doi.org/10.1109/ICSCSS60660.2024.10625631
Kim K(2024)Fuzzy anomaly scores for Isolation ForestApplied Soft Computing10.1016/j.asoc.2024.112193166(112193)Online publication date: Nov-2024
https://doi.org/10.1016/j.asoc.2024.112193
Show More Cited By

Index Terms

Service specific anomaly detection for network intrusion detection

Recommendations

Syntax vs. semantics: competing approaches to dynamic network intrusion detection

Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
Network intrusion detection

Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, ...
Enhancing Intrusion Detection System with proximity information

Intrusion Detection Systems (IDSes) proposed to identify or prevent the wide spread of worms can be largely classified as signature-based or anomaly-based. Modern worms are often sufficiently intelligent to hide their activities and evade anomaly ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '02: Proceedings of the 2002 ACM symposium on Applied computing

March 2002

1200 pages

ISBN:1581134452

DOI:10.1145/508791

Conference Chair:
Gary B. Lamont
Air Force Institute of Technology, USA
,
Program Chairs:
Hisham Haddad
Kennesaw State Univ., USA
,
George Papadopoulos
Univ. of Cyprus, Cyprus
,
Publications Chair:
Brajendra Panda
University of Arkansas, USA

Copyright © 2002 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 March 2002

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC02

Sponsor:

SIGAPP

SAC02: 2002 ACM Symposium on Applied Computing

March 11 - 14, 2002

Madrid, Spain

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

204
Total Citations
View Citations
3,143
Total Downloads

Downloads (Last 12 months)45
Downloads (Last 6 weeks)1

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang YSun JYang FLu X(2024)Data Interaction Security Monitoring Technology Based on Behavior Graph RepresentationProceedings of the 2024 3rd International Conference on Cryptography, Network Security and Communication Technology10.1145/3673277.3673283(30-34)Online publication date: 19-Jan-2024
https://dl.acm.org/doi/10.1145/3673277.3673283
Sivakumar GAmsaveni KR CSrirengaNachiyar VVaitheki SMarichamy P(2024)Predictive Modeling for Network Anomaly Detection Using Machine Learning2024 2nd International Conference on Sustainable Computing and Smart Systems (ICSCSS)10.1109/ICSCSS60660.2024.10625631(965-970)Online publication date: 10-Jul-2024
https://doi.org/10.1109/ICSCSS60660.2024.10625631
Kim K(2024)Fuzzy anomaly scores for Isolation ForestApplied Soft Computing10.1016/j.asoc.2024.112193166(112193)Online publication date: Nov-2024
https://doi.org/10.1016/j.asoc.2024.112193
ZHANG ZLIU MLI ZBU J(2023)Self-supervised end-to-end graph level anomaly detectionSCIENTIA SINICA Informationis10.1360/SSI-2022-017953:11(2202)Online publication date: 8-Nov-2023
https://doi.org/10.1360/SSI-2022-0179
Uddin MShahriar KHaque MSarker I(2023)Cyber-Attack Detection Through Ensemble-Based Machine Learning ClassifierMachine Intelligence and Emerging Technologies10.1007/978-3-031-34622-4_31(386-396)Online publication date: 11-Jun-2023
https://doi.org/10.1007/978-3-031-34622-4_31
Aliyu FSheltami TAbu-Amara MDeriche MMahmoud A(2023)Evaluation of Human Immune-Based IDPS Under DoS/DDoS AttacksProceedings of the 2023 International Conference on Advances in Computing Research (ACR’23)10.1007/978-3-031-33743-7_41(500-510)Online publication date: 27-May-2023
https://doi.org/10.1007/978-3-031-33743-7_41
Chen LGao SLiu B(2022)An improved density peaks clustering algorithm based on grid screening and mutual neighborhood degree for network anomaly detectionScientific Reports10.1038/s41598-021-02038-z12:1Online publication date: 26-Jan-2022
https://doi.org/10.1038/s41598-021-02038-z
Riera THiguera JHiguera JHerraiz JMontalvo J(2022)A new multi-label dataset for Web attacks CAPEC classification using machine learning techniquesComputers and Security10.1016/j.cose.2022.102788120:COnline publication date: 25-Aug-2022
https://dl.acm.org/doi/10.1016/j.cose.2022.102788
Ma QSun CCui B(2021)A Novel Model for Anomaly Detection in Network Traffic Based on Support Vector Machine and ClusteringSecurity and Communication Networks10.1155/2021/21707882021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/2170788
Li YWang YCheng LXu H(2021)Word Embedding-based Context-sensitive Network Flow Payload Anomaly Detection2021 3rd International Conference on Applied Machine Learning (ICAML)10.1109/ICAML54311.2021.00048(191-194)Online publication date: Jul-2021
https://doi.org/10.1109/ICAML54311.2021.00048
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents