Detecting unknown network attacks using language models

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 4064 LNCS, Issue , 2006, Pages 74-90

  Rieck, Konrad ^a   Laskov, Pavel ^a  

^a FRAUNHOFER FIRST   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER PROGRAMMING LANGUAGES; DATA STRUCTURES; FEATURE EXTRACTION; HTTP; INTERNET; MATHEMATICAL MODELS; NETWORK PROTOCOLS;

INTRUSION DETECTION; LANGUAGE MODELS; TCP CONNECTION PAYLOADS; TRIE DATA STRUCTURES;

COMPUTER CRIME;

EID: 33746430492     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/11790754_5     Document Type: Conference Paper

References (51)

1. Shannon, C., Moore, D.: The spread of the Witty worm. Proc. IEEE Symposium on Security and Privacy 2(4) (2004) 46-50
2. CERT: Advisory CA-2001-21: Buffer overflow in telnetd. CERT Coordination Center (2001)
3. Rubin, S., Jha, S., Miller, B.: Language-based generation and evaluation of NIDS signatures. In: Proc. IEEE Symposium on Security and Privacy. (2005) 3-17
4. Liang, Z., Sekar, R.: Automatic generation of buffer overflow attack signatures: An approach based on program behavior models. In: Proc. ACSAC. (2005) To appear.
5. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Proc. RAID. (2005)
6. Meier, M.: A model for the semantics of attack signatures in misuse detection systems. In: Proc. ISC. (2004) 158-169
7. Eckmann, S., Vigna, G., Kemmerer, R.: STATL: An attack language for state-based intrusion detection. Journal of Computer Security 10(1/2) (2002) 71-104
8. Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proc. USENIX. (1998) 31-51
9. Wang, K., Cretu, G., Stolfo, S.: Anomalous payload-based worm detection and signature generation. In: Proc. RAID. (2005)
10. Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Proc. RAID. (2004) 203-222
11. Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proc. Symposium on Applied Computing. (2002) 201-208
12. Mahoney, M., Chan, P.: An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. In: Proc. RAID. (2004) 220-237
13. Mahoney, M., Chan, P.: PHAD: Packet header anomaly detection for identifying hostile network traffic. Technical Report CS-2001-2, Florida Institute of Technology (2001)
14. Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Applications of Data Mining in Computer Security. Kluwer (2002)
15. Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 3 (2001) 227-261
16. Mahoney, M., Chan, P.: Learning models of network traffic for detecting novel attacks. Technical Report CS-2002-8, Florida Institute of Technology (2002)
17. Mahoney, M.: Network traffic anomaly detection based on packet bytes. In: Proc. ACM Symposium on Applied Computing. (2003) 346-350
18. Vargiya, R., Chan, P.: Boundary detection in tokenizing netwok application payload for anomaly detection. In: Proc. ICDM Workshop on Data Mining for Computer Security. (2003) 50-59
19. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proc. IEEE Symposium on Security and Privacy, Oakland, CA, USA (1996) 120-128
20. Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3) (1998) 151-180
21. Warrender, C., Forrest, S., Perlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proc. IEEE Symposium on Security and Privacy. (1999) 133-145
22. Marceau, C.: Characterizing the behavior of a program using multiple-length n-grams. In: Proc. NSPW. (2000) 101-110
23. Ghosh, A., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Proc. USENIX, Santa Clara, CA, USA (1999) 51-62
24. Eskin, E., Lee, W., Stolfo, S.: Modeling system calls for intrusion detection with dynamic window sizes. In: Proc. DISCEX. (2001)
25. Damashek, M.: Gauging similarity with n-grams: Language-independent categorization of text. Science 267(5199) (1995) 843-848
26. de la Briandais, R.: File searching using variable length keys. In: Proc. AFIPS Western Joint Computer Conference. (1959) 295-298
27. Fredkin, E.: Trie memory. Communications of ACM 3(9) (1960) 490-499
28. Knuth, D.: The art of computer programming. Volume 3. Addison-Wesley (1973)
29. Emran, S., Ye, N.: Robustness of canberra metric in computer intrusion detection. In: Proc. IEEE Workshop on Information Assurance and Security, West Point, NY, USA (2001)
30. Dice, L.: Measure of the amount of ecologic association between species. Ecology 26(3) (1945) 297-302
31. Sokal, R., Sneath, P.: Principles of numerical taxonomy. Freeman, San Francisco, CA, USA (1963)
32. Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proc. ACM CSS Workshop on Data Mining Applied to Security. (2001)
33. Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., Srivastava, J.: A comparative study of anomaly detection schemes in network intrusion detection,. In: Proc. SIAM. (2003)
34. Laskov, P., Schäfer, C., Kotenko, I.: Intrusion detection in unlabeled data with quarter-sphere support vector machines. In: Proc. DIMVA. (2004) 71-82
35. Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34(4) (2000) 579-595
36. McHugh, J.: The 1998 Lincoln Laboratory IDS evaluation. In: Proc. RAID. (2000) 145-161
37. McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. on Information Systems Security 3(4) (2000) 262-294
38. Moore, H.D.: The metasploit project - open-source platform for developing, testing, and using exploit code, http://www.metasploit.com (2005)
39. Lodhi, H., Saunders, C., Shawe-Taylor, J., Cristianini, N., Watkins, C.: Text classification using string kernels. Journal of Machine Learning Research 2 (2002) 419-444
40. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. LISA. (1999) 229-238
41. Nagy, G.: Twenty years of document image analysis in PAMI. IEEE Trans. Pattern Analysis and Machine Intelligence 22(1) (2000) 36-62
42. Suen, C.Y.: N-gram statistics for natural language understanding and text processing. IEEE Trans. Pattern Analysis and Machine Intelligence 1(2) (1979) 164-172
43. Cavnar, W.B., Trenkle, J.M.: N-gram-based text categorization. In: Proc. SDAIR, Las Vegas, NV, USA. (1994) 161-175
44. Robertson, A.M., Willett, P.: Applications of n-grams in textual information systems. Journal of Documentation 58(1) (1998) 48-69
45. Watkins, C.: Dynamic alignment kernels. In Smola, A., Bartlett, P., Schölkopf, B., Schuurmans, D., eds.: Advances in Large Margin Classifiers, Cambridge, MA, MIT Press (2000) 39-50
46. Leslie, C., Eskin, E., Noble, W.: The spectrum kernel: A string kernel for SVM protein classification. In: Proc. Pacific Symp. Biocomputing. (2002) 564-575
47. Lee, W., Stolfo, S., Chan, P.: Learning patterns from unix process execution traces for intrusion detection. In: Proc. AAAI workshop on Fraud Detection and Risk Management, Providence, RI, USA (1997) 50-56
48. Michael, C.: Finding the vocabulary of program behavior data for anomaly detection. In: Proc. DISCEX. (2003) 152-163
49. Hamming, R.W.: Error-detecting and error-correcting codes. Bell System Technical Journal 29(2) (1950) 147-160
50. Anderberg, M.: Cluster Analysis for Applications. Academic Press, Inc., New York, NY, USA (1973)
51. Harmeling, S., Dornhege, G., Tax, D., Meinecke, F., Müller, K.R.: From outliers to prototypes: ordering data. Neurocomputing (2006) in press.