Language models for detection of unknown attacks in network traffic

Journal in Computer Virology

Volumn 2, Issue 4, 2007, Pages 243-256

  Rieck, Konrad ^a   Laskov, Pavel ^a  

^a FRAUNHOFER FOKUS   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 33846910249     PISSN: 17729890     EISSN: 17729904     Source Type: Journal    
DOI: 10.1007/s11416-006-0030-0     Document Type: Article

References (69)

1. Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of USENIX Security Symposium (2002)
2. Shannon, C., Moore, D.: The spread of the Witty worm. IEEE Sec. Priv. 2(4), 46-50 (2004)
3. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Sec. Priv. 1(4), 33-39 (2003)
4. CERT Advisory CA-2001-21: Buffer overflow in telnetd. CERT Coordination Center (2001)
5. CERT Advisory CA-2002-28: Openssh vulnerabilities in challenge response handling. CERT Coordination Center (2002)
6. Mahoney, M., Chan, P.: PHAD: packet header anomaly detection for identifying hostile network traffic. Technical Report CS-2001-2, Florida Institute of Technology (2001)
7. Mahoney, V., Chan, K.P.: Learning rules for anomaly detection of hostile network traffic. In: Proceedings of International Conference on Data Mining (ICDM) (2003)
8. Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proceedings of ACM Symposium on Applied Computing, 201-208 (2002)
9. Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Applications of Data Mining in Computer Security. Kluwer, Dordrecht (2002)
10. Mahoney, M., Chan, P.: An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. In: Recent Adances in Intrusion Detection (RAID), 220-237 (2004)
11. Vargiya, R., Chan, P.: Boundary detection in tokenizing netwok application payload for anomaly detection. In: Proceedings of ICDM Workshop on Data Mining for Computer Security, 50-59 (2003)
12. Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of 10th ACM Conference on Computer and Communications Security, 251-261 (2003)
13. Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Recent Adances in Intrusion Detection (RAID), 203-222 (2004)
14. Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Trans. Inform. Syst. Sec. 3, 227-261 (2001)
15. Mahoney, M., Chan, P.: Learning models of network traffic for detecting novel attacks. Technical Report CS-2002-8, Florida Institute of Technology (2002)
16. Mahoney, M.: Network traffic anomaly detection based on packet bytes. In: Proceedings of ACM Symposium on Applied Computing, 346-350 (2003)
17. Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system. In: Proceedings of ACM Symposium on Applied Computing (2004)
18. Wang, K., Cretu, G., Stolfo, S.: Anomalous payload-based worm detection and signature generation. In: Recent Adances in Intrusion Detection (RAID) (2005)
19. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, 120-128 (1996)
20. Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Sec. 6(3), 151-180 (1998)
21. Warrender, C., Forrest, S., Perlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of IEEE Symposium on Security and Privacy 133-145 (1999)
22. Marceau, C.: Characterizing the behavior of a program using multiple-length n-grams. In: Proceedings of New Security Paradigms Workshop (NSPW) 101-110 (2000)
23. Ghosh, A., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Proceedings of USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, 51-62 (1999)
24. Eskin, E., Lee, W., Stolfo, S.: Modeling system calls for intrusion detection with dynamic window sizes. In: Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX) (2001)
25. Wang, K., Parekh, J., Stolfo, S.: Anagram: a content anomaly detector resistant to mimicry attack. In: Recent Adances in Intrusion Detection (RAID) 226-248 (2006)
26. Cavnar, W.B., Trenkle, J.M.: N-gram-based text categorization. In: Proceedings SDAIR, Las Vegas 161-175 (1994)
27. Damashek, M.: Gauging similarity with n-grams: language-independent categorization of text. Science 267(5199), 843-848 (1995)
28. Joachims, T.: Text categorization with support vector machines: Learning with many relevant features. Technical Report 23, LS VIII, University of Dortmund (1997)
29. Nagy, G.: Twenty years of document image analysis in PAMI. IEEE Trans. Pattern Anal. Mach. Intell. 22(1), 36-62 (2000)
30. Salton, G.: Mathematics and information retrieval. J. Doc. 35(1), 1-29 (1979)
31. Suen, C.Y.: N-gram statistics for natural language understanding and text processing. IEEE Trans. Pattern Anal. Mach. Intell. 1(2), 164-172 (1979)
32. Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (2001)
33. Emran, S., Ye, N.: Robustness of Canberra metric in computer intrusion detection. In: Proceedings of IEEE Workshop on Information Assurance and Security, West Point (2001)
34. Jaccard, P.: Contribution au problème de l'immigration postglaciaire de la flore alpine. Bulletin de la Société Vaudoise Des Sciences Naturelles 36, 87-130 (1900)
35. Anderberg, M.: Cluster Analysis for Applications. Academic, New York (1973)
36. de la Briandais, R.: File searching using variable length keys. In: Proceedings AFIPS Western Joint Computer Conference 295-298 (1959)
37. Fredkin, E.: Trie memory. Commun. 3(9):490-499: ACM, (1960)
38. Knuth, D.: The art of computer programming, vol. 3. Addison-Wesley, New York (1973)
39. Rieck, K., Laskov, R, Müller, K.R.: Efficient algorithms for similarity measures over sequential data: a look beyond kernels. In: Pattern Recognition, Proceedings of 28th DAGM Symposium. LNCS 374-383 (2006)
40. Rieck, K., Laskov, P., Sonnenburg, S.: Computation of similarity measures for sequential data using generalized suffix trees. In: Advances in Neural Information Processing Systems 19, MIT, Cambridge (2006)
41. Lazarevic, A., Ertoz, I.,., Kumar, V., Ozgur, A., Srivastava, J.: A comparative study of anomaly detection schemes in network intrusion detection,. In: Proceedings of SIAM International Conference on Data Mining (2003)
42. Laskov, P., Schäfer, C., Kotenko, T.: Intrusion detection in unlabeled data with quarter-sphere support vector machines. In: Detection of Intrusions and Malware, and Vulnerability Assessment, Proceedings of DIMVA Conference, 71-82 (2004)
43. Laskov, P., Düssel, P., Schäfer, C., Rieck, K.: Learning intrusion detection: supervised or unsupervised? In: Image Analysis and Processing, Proceedings of 13th ICIAP Conference, 50-57 (2005)
44. Rieck, K., Laskov, P.: Detecting unknown network attacks using language models. In: Detection of Intrusions and Malware, and Vulnerability Assessment, Proceedings of 3rd DIMVA Conference. LNCS, 74-90 (2006)
45. Knorr, E., Ng, R., Tucakov, V.: Distance-based outliers: algorithms and applications. Int. J. Very Large Data Bases 8(3-4), 237-253 (2000)
46. Harmeling, S., Dornhege, G., Tax, D., Meinecke, F.C., Müller, K.R.: From outliers to prototypes: ordering data. Neurocomputing 69(13-15), 1608-1618 (2006)
47. Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Comput. Netw. 34(4), 579-595 (2000)
48. McHugh, J.: The 1998 Lincoln Laboratory IDS evaluation. In: Recent Adances in Intrusion Detection (RAID) 145-161. (2000)
49. McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Inform. Syst. Sec. 3(4), 262-294 (2000)
50. Moore, H.D.: The metasploit project - open-source platform for developing, testing, and using exploit code. http://www.metasploit.com (2005)
51. Lodhi, H., Saunders, C., Shawe-Taylor, J., Cristianini, N., Watkins, C.: Text classification using string kernels. J. Mach. Learn. Res. 2, 419-444 (2002)
52. Tan, K., Maxion, R.: "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector. In: Proceedings of IEEE Symposium on Security and Privacy, 188-201 (2002)
53. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of USENIX Large Installation System Administration Conference LISA, 229-238 (1999)
54. Microsoft: MS00-078-web server folder traversal vulnerability. Microsoft Sec. Bull. (2000)
55. Anonymous: Once upon a free() ... Phrack Magazine 0xb(0x39) (2001) 57-0x09
56. Kreibich, C., Crowcroft, J.: Honeycomb-creating intrusion detection signatures using honeypots. In: Proceedings of Workshop on Hot Topics in Networks (2003)
57. Kim, H.A., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of USENIX Security Symposium (2004)
58. Singh, S., Estan, G., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of USENIX OSDI (2004)
59. Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of IEEE Symposium on Security and Privacy 120-132 (2005)
60. Microsoft: MS05-021- vulnerability in exchange server could allow remote code execution: Microsoft Sec Bull. (2005)
61. Kolesnik, O., Dagon, D., Lee, W.: Advanced polymorphic worms: evading IDS by blending with normal traffic. In: Proceedings of USENIX Security Symposium (2004)
62. Robertson, A.M., Willett, P.: Applications of n-grams in textual information systems. J. Doc. 58(1), 48-49 (1998)
63. Watkins, C.: Dynamic alignment kernels. In: Smola, A., Bartlett, P., Schölkopf, B., Schuurmans, D., (eds) Advances in large Margin Classifiers, MIT, Cambridge 39-50 (2000)
64. Leslie, C., Eskin, E., Noble, W.: The spectrum kernel: a string kernel for SVM protein classification. In: Proceedings Pacific Symposium Biocomputing. 564-575 (2002)
65. Lee, W., Stolfo, S., Chan, P.: Learning patterns from unix process execution traces for intrusion detection. In: Proceedings of AAAI Workshop on Fraud Detection and Risk Management, Providence 50-56 (1997)
66. Michael, C.: Finding the vocabulary of program behavior data for anomaly detection. In: Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX) 152-163 (2003)
67. Abou-Assaleh, T, Cercone, N., Keselj, V., Sweidanm, R.: Detection of new malicious code using n-grams signatures. In: Proceedings Second Annual Conference on Privacy, Security and Trust, 193-196 (2004)
68. Karim, M., Walenstein, A., Lakhotia, A., Laxmi, P.: Malware phylogeny generation using permutations of code. J. Comput. Virol. 1(1-2), 13-23 (2005)
69. Kolter, J., Maloof, M.: Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. (2006) (to appear)