Anomaly-based network intrusion detection: Techniques, systems and challenges

Computers and Security

Volumn 28, Issue 1-2, 2009, Pages 18-28

  Garcia Teodoro P ^a   Diaz Verdejo J ^a   Macia Fernandez G ^a   Vazquez E ^b  

^a Department of Signal Theory   (Spain)

^b UNIVERSIDAD POLITÉCNICA DE MADRID   (Spain)

Author keywords

Anomaly detection; Assessment; IDS systems and platforms; Intrusion detection; Network security; Threat

Indexed keywords

INTERNET; METROPOLITAN AREA NETWORKS; NETWORK SECURITY; PROJECT MANAGEMENT;

ADAPTIVE SECURITIES; ANOMALY DETECTION; ASSESSMENT; DETECTION TECHNIQUES; IDS SYSTEMS AND PLATFORMS; INTRUSION DETECTORS; MALICIOUS ACTIVITIES; NETWORK INTRUSION DETECTIONS; RESEARCH PROJECTS; SECURITY THREATS; SECURITY TOOLS; SPECIAL EMPHASES; SYSTEMS UNDER DEVELOPMENTS; TARGET SYSTEMS; THREAT;

INTRUSION DETECTION;

EID: 57849130705     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2008.08.003     Document Type: Article

References (50)

1. Anderson D., Lunt T.F., Javitz H., Tamaru A., and Valdes A. Detecting unusual program behaviour using the statistical component of the next-generation intrusion detection expert system (NIDES) (1995), Computer Science Laboratory, SRI International, Menlo Park, CA, USA SRIO-CSL-95-06
2. Athanasiades N., Abler R., Levine J., Owen H., and Riley G. Intrusion detection testing and benchmarking methodologies. Proceedings of the 1st IEEE international workshop on information assurance (2003), IEEE Computer Society Press 63-72
3. Axelsson S. Research in intrusion detection systems: a survey. Technical report. Chalmers University of Technology. Goteborg 1998.
4. Axelsson S. The Base-rate fallacy and its implications for the difficulty of intrusion detection. ACM Transactions on Information and System Security 3 (2000) 186-205
5. Barnett V., and Lewis T. Outliers in statistical data (1994), Wiley. 9780471930945
6. Bermúdez-Edo M., Salazar-Hernández R., Díaz-Verdejo J.E., García-Teodoro P. Proposals on assessment environments for anomaly-based network intrusion detection systems. LNCS 4347; 2006. pp. 210-221.
7. Breunig M., Kriegel H.P., Ng R.T., Sander J. LOF: identifying density-based local outliers. In: Proceedings of the ACM SIGMOD, International Conference on Management of Data; 2000. pp. 93-104.
8. Bridges S.M., Vaughn R.B. Fuzzy data mining and genetic algorithms applied to intrusion detection. In: Proceedings of the National Information Systems Security Conference; 2000. pp. 13-31.
9. Cansian A.M., Moreira E., Carvalho A., Bonifacio J.M. Network intrusion detection using neural networks. In: International Conference on Computational Intelligence and Multimedia Applications (ICCMA'97); 1997. pp. 276-280.
10. Cohen W.W. Fast effective rule induction. In: Proceedings 12th International Conference on Machine Learning; 1995., pp. 115-123.
11. Debar H., Becker M., Siboni, D. A neural network component for an intrusion detection system. In: IEEE Symposium on Research in Computer Security and Privacy; 1992. pp. 240-250.
12. Debar H., Dacier M., Wespi A., and Lampart S. An experimentation workbench for intrusion detection systems. Research Report RZ 2998 (1998), IBM Reserarch Division, Zurich Research Laboratory
13. Denning D.E., and Neumann P.G. Requirements and model for IDES - a real-time intrusion detection system (1985), Computer Science Laboratory, SRI International Technical Report #83F83-01-00
14. Denning E.D. An intrusion-detection model. IEEE Transactions on Software Engineering 13 2 (1987) 222-232
15. Detecting hackers (analyzing network traffic) by Poisson model measure. Available from:. http://www.ensc.sfu.ca/people/grad/pwangf/IPSW_report.pdf
16. Dickerson J.E. Fuzzy network profiling for intrusion detection. In: Proceedings of the 19th International Conference of the North American Fuzzy Information Processing Society (NAFIPS); 2000. pp. 301-306.
17. Estévez-Tapiador J.M., García-Teodoro P., and Díaz-Verdejo J.E. Stochastic protocol modeling for anomaly based network intrusion detection. Proceedings of IWIA 2003 (2003), IEEE Press. 0-7695-1886-9 3-12
18. Estévez-Tapiador J.M., García-Teodoro P., and Díaz-Verdejo J.E. Anomaly detection methods in wired networks: a survey and taxonomy. Computer Networks 27 16 (2004) 1569-1584
19. Estévez-Tapiador J.M., García-Teodoro P., Díaz-Verdejo J.E. Detection of web-based attacks through Markovian protocol parsing. In: Proc. ISCC05; 2005 pp. 457-462.
20. Fan J., Xu J., Ammar M.H., and Moon S.B. Prefix-preserving IP address anonymization: measurement-based security evaluation and a new cryptography-based scheme. Computers Networks 46 2 (2004) 253-272
21. Fayyad U., Piatetsky-Shapiro G., and Smyth P. The KDD process for extracting useful knowledge from volumes of data. Communications of the ACM 29 11 (1996) 27-34
22. Fox K., Henning R., Reed J., Simonian, R. A neural network approach towards intrusion detection. In: 13th National Computer Security Conference; 1990. pp. 125-134.
23. Gaffney J., and Ulvila J. Evaluation of intrusion detectors: a decision theory approach. IEEE Symposium on Security and Privacy (2001) 50-61
24. Heckerman D. A tutorial on learning with Bayesian networks (1995), Microsoft Research Technical Report MSRTR-95-06
25. Kabiri P., and Ghorbani A.A. Research in intrusion detection and response - a survey. International Journal of Network Security 1 2 (2005) 84-102
26. Kruegel C., Valeur F., Vigna G., and Kemmerer R. Statetul intrusion detection for high-speed networks. IEEE Symposium on Security and Privacy (2002) 285-294
27. Kruegel C., Mutz D., Robertson W., Valeur F. Bayesian event classification for intrusion detection. In: Proceedings of the 19th Annual Computer Security Applications Conference; 2003.
28. Lazarevic A., Kumar V., and Srivastava J. Intrusion detection: a survey. Managing cyber threats: issues, approaches, and challenges (2005), Springer Verlag p. 330
29. Lee W., Stolfo S.J. Data mining approaches for intrusion detection. In: Proceedings of the 7th USENIX Security Symposium (SECURITY-98); 1998. pp. 79-94.
30. Li W. Using genetic algorithm for network intrusion detection (2004), C.S.G. Department of Energy p. 1-8
31. Liao Y., and Vemuri V.R. Use of K-nearest neighbor classifier for intrusion detection. Computers & Security 21 (2002) 439-448
32. Lippmann R., Haines J., Fried D., Korba J., and Das K. Analysis and results of the 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34 4 (2000) 579-595
33. Mahoney M.V., Chan P.K. Learning nonstationary models of normal network traffic for detecting novel attacks. In: Proceedings of the Eighth ACM SIGKDD; 2002. pp. 376-385.
34. Mahoney M., Chan P.K. An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection. Florida tech. report CS-2003-02; 2003.
35. McHugh J. The 1998 Lincoln laboratory IDS evaluation. A critique. RAID. LNCS vol. 1907 (2000) 145-161
36. Mell P., Hu V., Lippman R., Haines J., and Zissman M. An overview o issues in testing intrusion detection systems". NIST Interagency Report NIST IR 7007. Available from: (2003). http://csrc.nist.gov/publications/nistir/nistir-7007.pdf
37. PMG. Maximizing the value of network intrusion detection. A corporate white paper from the product management group ofintrusion.com; 2001.
38. Portnoy L., Eskin E., Stolfo S.J. Intrusion detection with unlabeled data using clustering. In: Proceedings of The ACM Workshop on Data Mining Applied to Security; 2001.
39. Ptacek T., and Newsham T. Insertion, evasion and denial of service: eluding network intrusion detection (2003), Secure Networks
40. Puketza N., Zhang K., Chung M., Mukherjee B., and Olsson R. A methodology for testing intrusion detection systems. IEEE Software 4 5 (1997) 43-51
41. Ramadas M., Ostermann S., and Tjaden B. Detecting anomalous network traffic with self-organizing maps. Recent advances in intrusion detection, RAID. Lecture notes in computer science (LNCS) vol. 2820 (2003) 36-54
42. Rossey L., Rabek J., Cunnigham R., Fried R., Lippmann R., and Zissmann R. LARIAT: Lincoln adaptable real-time information assurance test-bed (2001), RAID
43. Sekar R., Gupta A., Frullo J., Shanbhag T., Tiwari A., Yang H., et al. Specification-based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of the Ninth ACM Conference on Computer and Communications Security; 2002. pp. 265-274.
44. Sequeira K., Zaki M. ADMIT: anomaly-based data mining for intrusions. In: Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining; 2002. pp. 386-395.
45. Sobh T.S. Wired and wireless intrusion detection system: classifications, good characteristics and state-of-the-art. Computer Standards & Interfaces 28 (2006) 670-694
46. Staniford-Chen S., Tung B., Porrar P., Kahn C., Schnackenberg D., Feiertag R., et al. The common intrusion detection framework-data formats. 1998. Internet draft 'draft-staniford-cidf-data-formats-00.txt'.
47. Stolfo S.J., and Fan W. Cost-based modeling for fraud and intrusion detection: results from the JAM project. DARPA Information Survivability Conference & Exposition (2000) 130-144
48. Wang W., Battiti R. Identifying intrusions in computer networks with principal component analysis. In: The First International Conference on Availability, Reliability and Security; 2006. pp. 270-279. Vienna, Austria.
49. Ye N., Emran S.M., Chen Q., and Vilbert S. Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Transactions on Computers 51 7 (2002)
50. Yeung D.Y., and Ding Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition 36 1 (2003) 229-243