Autonomic parameter tuning of anomaly-based IDSs: An SSH case study

IEEE Transactions on Network and Service Management

Volumn 9, Issue 2, 2012, Pages 128-141

  Sperotto, Anna ^a   Mandjes, Michel ^b   Sadre, Ramin ^a   De Boer, Pieter Tjerk ^a   Pras, Aiko ^a  

^a UNIVERSITY OF TWENTE   (Netherlands)

^b UNIVERSITY OF AMSTERDAM   (Netherlands)

Author keywords

anomalies; Autonomic; intrusion detection; network management; parameter optimization

Indexed keywords

ANOMALIES; ANOMALY-BASED INTRUSION DETECTION; AUTONOMIC; DETECTION SYSTEM; FALSE ALARMS; FALSE POSITIVE RATES; NETWORK BEHAVIORS; NETWORK TRAFFIC; NUMBER OF FALSE ALARMS; PARAMETER OPTIMIZATION; PARAMETER-TUNING; TRUE POSITIVE RATES;

COMPUTER CRIME; ERRORS; HUMAN RESOURCE MANAGEMENT; INTERNET PROTOCOLS; MANAGERS; NETWORK MANAGEMENT; OPTIMIZATION;

INTRUSION DETECTION;

EID: 84862147735     PISSN: 19324537     EISSN: None     Source Type: Journal    
DOI: 10.1109/TNSM.2012.031512.110146     Document Type: Article

References (41)

1. P. García-Teodoro, J. Díaz-Verdejo, G. Maciá- Fernández, and E. Vázquez, "Anomaly-based network intrusion detection: techniques, systems and challenges," Computers & Security, vol. 28, no. 1-2, pp. 18-28, 2009.
2. A. Sperotto, "Flow-based intrusion detection," Ph.D. dissertation, Universiteit Twente, Oct. 2010.
3. A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, and B. Stiller, "An overview of IP flow-based intrusion detection," IEEE Commun. Surveys & Tutorials, vol. 12, no. 3, pp. 343-356, 2010.
4. A. Pras, R. Sadre, A. Sperotto, T. Fioreze, D. Hausheer, and J. Schoenwaelder, "Using netflow/IPFIX for network management," J. Network and Systems Management, vol. 17, no. 4, pp. 482-487, 2009.
5. J. Quittek, T. Zseby, B. Claise, and S. Zander, "Requirements for IP Flow Information Export (IPFIX)," RFC 3917 (informational).
6. A. Sperotto and A. Pras, "Flow-based intrusion detection," in Proc. 2011 IFIP/IEEE International Symposium on Integrated Network Management, pp. 958-963.
7. A. Sperotto, R. Sadre, P. de Boer, and A. Pras, "Hidden Markov model modeling of SSH brute-force attacks," in Proc. 2009 IFIP/IEEE Int. Workshop on Distributed Systems: Operations and Management, pp. 164-176.
8. V. A. Siris and F. Papagalou, "Application of anomaly detection algorithms for detecting SYN flooding attacks," Computer Commun., vol. 29, no. 9, pp. 1433-1442, 2006.
9. Z. Yu, J. J. P. Tsai, and T. Weigert, "An adaptive automatically tuning intrusion detection system," ACM Trans. Auton. Adapt. Syst., vol. 3, pp. 1-25, 2008.
10. S. il Kim, N. Nwanze, and J. Kintner, "Towards dynamic self-tuning for intrusion detection systems," in Proc. 2010 Int. IEEE Performance Computing and Communications Conference, pp. 17-24.
11. Y. Himura, K. Fukuda, K. Cho, and H. Esaki, "An evaluation of automatic parameter tuning of a statistics-based anomaly detection algorithm," Int. J. Netw. Manag., vol. 20, pp. 295-316, 2010.
12. L. Ho, D. Cavuto, S. Papavassiliou, and A. Zawadzki, "Adaptive/ automated detection of service anomalies in transaction-oriented WANS: network analysis, algorithms, implementation, and deployment," IEEE J. Sel. Areas Commun., vol. 18, no. 5, pp. 744-757, 2000.
13. M. Thottan and C. Ji, "Proactive anomaly detection using distributed intelligent agents," IEEE Network, vol. 12, pp. 21-27, 1998. (Pubitemid 128570724)
14. -, "Anomaly detection in IP networks," IEEE Trans. Signal Process., vol. 51, pp. 2191-2204, 2003.
15. M. Mandjes, I. Saniee, and A. Stolyar, "Load characterization, overload prediction, and load anomaly detection for voice over IP traffic," IEEE Trans. Neural Networks, vol. 16, no. 5, pp. 1019-1028, 2005.
16. M. Mandjes and P. Zuraniewski, "A queueing-based approach to overload detection," in Proc. 2009 Euro-NF Conference on Network Control and Optimization, pp. 91-106.
17. D. Siegmund, Sequential Analysis. Springer-Verlag, 1985.
18. S.-Y. Lin, J.-C. Liu, and W. Zhao, "Adaptive CUSUM for anomaly detection and its application to detect shared congestion," Texas A&M University, Technical Report TAMU-CS-TR-2007-1-2, 2007.
19. G. Münz and G. Carle, "Application of forecasting techniques and control charts for traffic anomaly detection," in Proc. 2008 ITC Specialist Seminar on Network Usage and Traffic.
20. A. Tartakovsky and V. Veeravalli, "Changepoint detection in multichannel and distributed systems with applications," Applications of Sequential Methodologies, pp. 331-363, 2004.
21. E. Freire, A. Ziviani, and R. Salles, "Detecting VoIP calls hidden in web traffic," IEEE Trans. Network and Service Management, vol. 5, no. 4, pp. 204-214, 2008.
22. A. Dainotti, W. de Donato, A. Pescapne, and P. Rossi, "Classification of network traffic via packet-level hidden Markov models," in Proc. 2208 IEEE Global Telecommunications Conference, pp. 1-5.
23. T. Nguyen and G. Armitage, "A survey of techniques for Internet traffic classification using machine learning," IEEE Commun. Surveys Tutorials, vol. 10, no. 4, pp. 56-76, 2008.
24. A. W. Moore and D. Zuev, "Internet traffic classification using Bayesian analysis techniques," SIGMETRICS Perform. Eval. Rev., vol. 33, pp. 50-60, 2005. (Pubitemid 43275409)
25. J. François, H. Abdelnur, R. State, and O. Festor, "Machine learning techniques for passive network inventory," IEEE Trans. Network and Service Management, vol. 7, no. 4, pp. 244-257, 2010.
26. F. Camastra and A. Vinciarelli, Markovian Models for Sequential Data. Springer London, 2008.
27. L. E. Baum, T. Petrie, G. Soules, and N. Weiss, "A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains," Annals of Mathematical Statistics, vol. 41, no. 1, pp. 164-171, 1970.
28. L. R. Rabiner, "A tutorial on hidden Markov models and selected applications in speech recognition," Proc. IEEE, vol. 77, no. 2, pp. 257-286, 1989.
29. G. A. Fink, Markov Models for Pattern Recognition: From Theory to Applications. Springer-Verlag, 2008.
30. D. X. Song, D. Wagner, and X. Tian, "Timing analysis of keystrokes and timing attacks on SSH," in Proc. 2001 Conference on USENIX Security Symposium -Volume 10, pp. 25-25.
31. C. V. Wright, F. Monrose, and G. M. Masson, "HMM profiles for network traffic classification," in Proc. 2004 Workshop on Visualization and Data Mining for Computer Security, pp. 9-15.
32. D. Gao, M. K. Reiter, and D. X. Song, "Behavioral distance measurement using hidden Markov models," in Proc. 2006 Int. Symposium Recent Advances in Intrusion Detection, pp. 19-40.
33. C. Warrender, S. Forrest, and B. Pearlmutter, "Detecting intrusions using system calls: alternative data models," in Proc. 1999 IEEE Symposium on Security and Privacy, pp. 133-145.
34. C. Seifert, "Analyzing malicious SSH login attempts," http://www.securityfocus.com/infocus/1876, May 2011.
35. SANS Institute, "Top-20 2007 security risks (2007 annual update)," www.sans.org, May 2011.
36. A. Sperotto, R. Sadre, D. F. van Vliet, and A. Pras, "A labeled data set for flow-based intrusion detection," in Proc. 2009 IEEE Int. Workshop on IP Operations and Management, pp. 39-50.
37. A. Sperotto, R. Sadre, and A. Pras, "Anomaly characterization in flowbased traffic time series," in Proc. 2008 IEEE Int. Workshop on IP Operations and Management, pp. 15-27.
38. H. Debar, M. Dacier, and A. Wespi, "A revised taxonomy for intrusion detection systems," Annales des Telecommunications, vol. 55, no. 7-8, pp. 361-378, 2000.
39. T. Fawcett, "An introduction to ROC analysis," Pattern Recognition Lett., vol. 27, no. 8, pp. 861-874, 2006.
40. D. Bolzoni, "Revisiting anomaly-based network intrusion detection systems," Ph.D. dissertation, University of Twente, Enschede, June 2009.
41. Q. Qian and M. Xin, "Research on hidden Markov model for system call anomaly detection," in Proc. 2007 Pacific Asia Workshop on Intelligence and Security Informatics, pp. 152-159.