Comparing anomaly detection techniques for HTTP

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 4637 LNCS, Issue , 2007, Pages 42-62

  Ingham, Kenneth L ^a   Inoue, Hajime ^b  

^a University of New Mexico   (United States)

^b CARLETON UNIVERSITY   (Canada)

Author keywords

Anomaly detection; Comparison; HTTP; Hypertext transport protocol; Intrusion detection

Indexed keywords

ACCESS CONTROL; ALGORITHMS; DATA REDUCTION; NETWORK PROTOCOLS; TEXT PROCESSING;

ANOMALY DETECTION; HYPERTEXT TRANSPORT PROTOCOL (HTTP);

INTRUSION DETECTION;

EID: 38149142569     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-540-74320-0_3     Document Type: Conference Paper

References (40)

1. Apple Computer: Tunneling RTSP and RTP over HTTP (2006) (accessed September 13, 2006), http://developer.apple.com/documentation/QuickTime/QTSS/ Concepts/chapter-2.section.14. html
2. Athanasiades, N., Abler, R., Levine, J., Owen, H., Riley, G.: Intrusion detection testing and benchmarking methodologies. In: IEEE-IWIA '03: Proceedings of the First IEEE International Workshop on Information Assurance (IWIA'03), Washington, DC, USA, page 63, IEEE Computer Society, Los Alamitos (2003)
3. Booth, D., Haas, H., McCabe, F., Newcomer, E., Champion, M., Ferris, C., Orchard, D.: Web services architecture. Technical Report W3C Working Group Note 11 February 2004, World Wide Web Consortium (W3C) (2004) (accessed 2007-04-05), online at http://www.w3.org/TR/ws-arch/
4. Cohen, C.F.: CERT advisory CA-2002-17 Apache web server chunk handling vulnerability (July 2002) (accessed July 24, 2002), http://www.cert.org/ advisories/CA-2002-17.html
5. Corporation, M.: Common vulnerabilities and exposures (accessed June 16, 2006), http://eve.mitre.org/
6. Curry, D., Debar, H.: Intrusion detection message exchange format data model and extensible markup language (XML) document type definition (December 2002) (accessed January 1, 2003), http://www.ietf.org/internet-drafts/draft- ietf-idwg-idmef-xml-09.txt
7. cve.mitre.org: CVE-1999-0107 (July 1999) (accessed September 3, 2006), http://www.eve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0107
8. cve.mitre.org: CVE-1999-1199 (September 2004) (accessed October 30, 2005), http://www.eve.mitre.org/cgi-bin/cvename.cgi?name=CVE=1999-1199
9. Damashek, M.: Gauging similarity with n-grams: language-independent categorization of text. Science 267(5199), 843-848 (1995)
10. Danyliw, R., Dougherty, C., Householder, A., Ruefle, R.: CERT advisory CA-2001-26 Nimda worm (September 2001), http://www.cert.org/advisories/CA-2001- 26.html
11. Debar, H., Dacier, M., Wespi, A., Lampart, S.: An experimentation workbench for intrusion detection systems. Technical Report RZ 6519, IBM Research Division, Zurich Research Laboratory, 8803 Rüuschlikon, Switzerland (September 1998)
12. Eastlake, D., Khare, R., Miller, J.: Selecting payment mechanisms over HTTP (2006) (accessed September 13, 2006), http://www.w3.org/TR/WD-jepi-uppflow- 970106
13. Estévez-Tapiador, J.M., García-Teodoro, P., Díaz-Verdejo, J.E.: Measuring normality in http traffic for anomaly-based intrusion detection. Journal of Computer Networks 45(2), 175-193 (2004)
14. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., BernersLee, T.: Hypertext transfer protocol - HTTP/1.1. RFC 2616 (June 1999) (accessed October 2, 2002), ftp://ftp.isi.edu/in-notes/rfc2616.txt
15. Haines, J.W., Lippmann, R.P., Fried, D.J., Tran, E., Boswell, S., Zissman, M.A.: 1999 DARPA intrusion detection system evaluation: Design and procedures. Technical Report TR-1062, Lincoln Laboratory, Massachusetts Institute of Technology, Lexington, MA, USA (February 2001)
16. Hancock, J., Wintz, P.: Signal Detection Theory. McGraw-Hill, New York (1966)
17. Heberlein, L.: Network security monitor (NSM)-final report. Technical report, University of California at Davis Computer Security Lab, Lawrence Livermore National Laboratory project deliverable (1995), http://seclab.cs. ucdavis.edu/papers/NSM-final.pdf
18. Heberlein, L., Dias, G., Levitt, K., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: 1990 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, USA, May 7-9, 1990, pp. 296-304. IEEE Computer Society Press, Los Alamitos, CA, USA (1990)
19. Hernández, L.O., Pegan, M.: WebDAV: what it is, what it does, why you need it. In: SIGUCCS '03: Proceedings of the 31st annual ACM SIGUCCS conference on User services, New York, NY, USA, pp. 249-254. ACM Press, New York (2003)
20. Ingham, K.L.: Anomaly Detection for HTTP Intrusion Detection: Algorithm Comparisons and the Effect of Generalization on Accuracy. PhD thesis, Department of Computer Science, University of New Mexico, Albuquerque, NM, 87131 (2007)
21. Ingham, K.L., Somayaji, A., Burge, J., Forrest, S.: Learning DFA representations of HTTP for protecting web applications. Computer Networks 51(5), 1239-1255 (2007)
22. Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM conference on Computer and communications security, pp. 251-261. ACM Press, New York (2003)
23. Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks 48(5), 717-738 (2005)
24. Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34(4), 579-595 (2000)
25. Mahoney, M.V.: Network traffic anomaly detection based on packet bytes. In: Proceedings of the 2003 ACM Symposium on Applied computing, pp. 346-350. ACM Press, New York (2003)
26. Mahoney, M.V., Chan, P.K.: Learning nonstationary models of normal network traffic for detecting novel attacks. In: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 376-385. ACM Press, New York (2002)
27. McHugh, J.: The 1998 Lincoln Laboratory IDS evaluation - a critique. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 145-161. Springer, Heidelberg (2000)
28. McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and Systems Security 3(4), 262-294 (2000)
29. Microsoft Corporation: Exchange server 2003 RPC over HTTP deployment scenarios (2006) (accessed Sept 13, 2006), http://www.microsoft.com/ technetprodtechnol/exchange/2003/library/ex2k3rpc.mspx
30. Puketza, N., Chung, M., Olsson, R., Mukherjee, B.: A software platform for testing intrusion detection systems. IEEE Software 14(5), 43-51 (1997)
31. Puketza, N.J., Zhang, K., Chung, M., Mukherjee, B., Olsson, R.A.: A methodology for testing intrusion detection systems. IEEE Transactions on Software Engineering 22(10), 719-729 (1996)
32. Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.A.: Using generalization and characterization techniques in the anomaly-based detection of web attacks, In: Network and Distributed System Security Symposium Conference Proceedings: 2006. Internet Society (2006) (accessed February 12, 2006), http://www.isoc.org/isoc/conferences/ndss/06/proceedings/html/2006/papers/ anomaly_signatures.pdf
33. Stoicke, A., Omohundro, S.: Hidden Markov Model induction by bayesian model merging. In: Hanson, S.J., Cowan, J.D., Giles, C.L. (eds.) Advances in Neural Information Processing Systems, vol. 5, pp. 11-18. Morgan Kaufmann, San Mateo, CA (1993)
34. Stolcke, A., Omohundro, S.M.: Best-first model merging for hidden Markov model induction. Technical Report TR-94-003, International Computer Science Institute, 1947 Center Street, Suite 600, Berkeley, CA, 94704-1198 (1994)
35. Tombini, E., Debar, H., Mé, L., Ducassé, M.: A serial combination of anomaly and misuse IDSes applied to HTTP traffic. In: 20th Annual Computer Security Applications Conference (2004)
36. Vargiya, R., Chan, P.: Boundary detection in tokenizing network application payload for anomaly detection. In: Proceedings of the ICDM Workshop on Data Mining for Computer Security (DMSEC). Workshop held in conjunction with The Third IEEE International Conference on Data Mining, November 2003, pp. 50-59 (2003) (accessed April 5, 2006), available at http://www.cs.fit.edu/~pkc/ dmsec03/dmsec03notes.pdf
37. Wan, T., Yang, X.D.: IntruDetector: a software platform for testing network intrusion detection algorithms. In: Seventeenth Annual Computer Security Applications Conference, New Orleans, LA, USA, December 10-14, 2001, IEEE Computer Society, Los Alamitos, CA, USA (2001)
38. Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203-222. Springer, Heidelberg (2004)
39. Warrender, C., Forrest, S., Pearlmutter, B.A.: Detecting intrusions using system calls: Alternative data models. In: IEEE Symposium on Security and Privacy, pp. 133-145. IEEE Computer Society Press, Los Alamitos (1999)
40. Wiers, D.: Tunneling SSH over HTTP(S) (2006) (accessed September 13, 2006), http://dag.wieers.com/howto/ssh-http-tunneling/