Effective Anomaly Detection with Scarce Training Data

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2010

Volumn , Issue , 2010, Pages

  Robertson, William ^a   Maggi, Federico ^b   Kruegel, Christopher ^c   Vigna, Giovanni ^c  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b POLITECNICO DI MILANO   (Italy)

^c UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Anomaly detection; training data; web application

Indexed keywords

HTTP; KNOWLEDGE BASED SYSTEMS; LEARNING SYSTEMS; REAL TIME SYSTEMS; WEB SERVICES;

ANOMALY DETECTION; ANOMALY DETECTION SYSTEMS; ANOMALY DETECTOR; BLACK BOXES; CONTENT PUBLISHING; TIME FRAME; TRAINING DATA; UNKNOWN ATTACKS; WEB APPLICATION; WEB APPLICATIONS;

ANOMALY DETECTION;

EID: 85180537732     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (47)

1. J. Alpert and N. Hajaj. We knew the web was big... http://googleblog.blogspot.com/2008/07/we-knew-web-was-big.html, July 2008.
2. S. Axelsson. The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security, 3(3):186–205, August 2000.
3. S. Bhatkar, A. Chaturvedi, and R. Sekar. Dataflow Anomaly Detection. In Proceedings of the IEEE Symposium on Security and Privacy (S&P 2006), Oakland, CA, USA, May 2006. IEEE Computer Society.
4. Breach Security, Inc. Breach WebDefend. http://www.breach.com/products/webdefend.html, January 2009.
5. S. Cho and S. Cha. SAD: Web Session Anomaly Detection Based on Parameter Estimation. Computers & Security, 23(4):312–319, 2004.
6. Citrix Systems, Inc. Citrix Application Firewall. http://www.citrix.com/English/PS2/products/product.asp?contentID=25636, January 2009.
7. W. Cohen, P. Ravikumar, and S. Fienberg. A comparison of string distance metrics for name-matching tasks. In Proceedings of the IJCAI-2003 Workshop on Information Integration on the Web (IIWeb-03), 2003.
8. G. F. Cretu, A. Stavrou, M. E. Locasto, S. J. Stolfo, and A. D. Keromytis. Casting out Demons: Sanitizing Training Data for Anomaly Sensors. In Proceedings of the IEEE Symposium on Security and Privacy (S&P 2008), pages 81–95, Oakland, CA, USA, May 2008. IEEE Computer Society.
9. D. E. Denning. An Intrusion-Detection Model. IEEE Transactions on Software Engineering, 13(2):222–232, 1987.
10. H. J. Escalante and O. Fuentes. Kernel Methods for Anomaly Detection and Noise Elimination. In Proceedings of the International Conference on Computing (CORE 2006), pages 69–80, Mexico City, Mexico, 2006.
11. F5 Networks, Inc. BIG-IP Application Security Manager. http://www.f5.com/products/big-ip/product-modules/ application-security-manager.html, January 2009.
12. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A Sense of Self for Unix Processes. In Proceedings of the IEEE Symposium on Security and Privacy (S&P 1996), pages 120–128, Oakland, CA, USA, May 1996. IEEE Computer Society.
13. V. Frias-Martinez, S. J. Stolfo, and A. D. Keromytis. Behavior-Profile Clustering for False Alert Reduction in Anomaly Detection Sensors. In Proceedings of the Annual Computer Security Applications Conference (ACSAC 2008), Anaheim, CA, USA, December 2008.
14. J. T. Giffin, D. Dagon, S. Jha, W. Lee, and B. P. Miller. Environment-Sensitive Intrusion Detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), pages 185–206. Springer-Verlag, 2005.
15. rd International Conference on Convergence and Hybrid Information Technology (ICCIT 2008), pages 112–116, Washington, DC, USA, 2008. IEEE Computer Society.
16. B. Juang and L. Rabiner. A probabilistic distance measure for hidden Markov models. AT&T Bell Laboratories Technical Journal, 64(2):391–408, 1985.
17. S.-i. Kim and N. Nwanze. Noise-Resistant Payload Anomaly Detection for Network Intrusion Detection Systems. In Proceedings of the Performance, Computing and Communications Conference (IPCCC 2008), pages 517–523, Austin, TX, USA, December 2008. IEEE Computer Society.
18. C. Kruegel, D. Mutz, W. Robertson, and F. Valeur. Bayesian Event Classification for Intrusion Detection. In Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003), Las Vegas, NV, USA, December 2003.
19. C. Kruegel, W. Robertson, and G. Vigna. A Multi-model Approach to the Detection of Web-based Attacks. Journal of Computer Networks, 48(5):717–738, July 2005.
20. C. Kruegel, T. Toth, and E. Kirda. Service-Specific Anomaly Detection for Network Intrusion Detection. In Proceedings of the Symposium on Applied Computing (SAC 2002), Spain, March 2002.
21. W. Lee and S. J. Stolfo. A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security, 3(4):227–261, 2000.
22. R. Little and D. Rubin. Statistical analysis with missing data. Wiley New York, 1987.
23. R. B. Lyngsø, C. N. S. Pedersen, and H. Nielsen. Metrics and similarity measures for hidden markov models. In Proceedings of the Seventh International Conference on Intelligent Systems for Molecular Biology, pages 178–186. AAAI Press, 1999.
24. F. Maggi, M. Matteucci, and S. Zanero. Detecting intrusions through system call sequence and argument analysis (preprint). IEEE Transactions on Dependable and Secure Computing, 99(1), 2009.
25. M. Mahoney and P. Chan. Detecting novel attacks by identifying anomalous network packet headers. Technical Report CS-2001-2, Florida Institute of Technology, 2001.
26. M. V. Mahoney and P. K. Chan. Learning Rules for Anomaly Detection of Hostile Network Traffic. In Proceedings of the IEEE International Conference on Data Mining, 2003.
27. Miniwatts Marketing Group. World Internet Usage Statistics. http://www.internetworldstats.com/stats.htm, January 2009.
28. D. Mutz, F. Valeur, C. Kruegel, and G. Vigna. Anomalous System Call Detection. ACM Transactions on Information and System Security, 9(1):61–93, February 2006.
29. Open Security Foundation. DLDOS: Data Loss Database – Open Source. http://datalossdb.org/, January 2009.
30. W. Robertson, G. Vigna, C. Kruegel, and R. A. Kemmerer. Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS 2006), San Diego, CA, USA, February 2006.
31. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In Proceedings of the IEEE Symposium on Security and Privacy (S&P 2001), pages 144–155, Oakland, CA, USA, May 2001. IEEE Computer Society.
32. R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou. Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions. In Proceedings of the ACM Conference on Computer and Communications Security (CCS 2002), pages 265–274, New York, NY, USA, 2002. ACM Press.
33. O. Shezaf, J. Grossman, and R. Auger. Web Hacking Incidents Database. http://www.xiom.com/ whid-about, January 2009.
34. A. Singer. Social Media, Web 2.0 And Internet Stats. http://thefuturebuzz.com/2009/01/12/social-media-web-20-internet-numbers-stats/, January 2009.
35. Y. Song, A. D. Keromytis, and S. J. Stolfo. Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic. In Proceedings of the Network and Distributed System Security Symposium (NDSS 2009), San Diego, CA, USA, February 2009.
36. A. Stolcke and S. Omohundro. Hidden Markov Model Induction by Bayesian Model Merging. Advances in Neural Information Processing Systems, pages 11–11, 1993.
37. A. Stolcke and S. Omohundro. Inducing Probabilistic Grammars by Bayesian Model Merging. Lecture Notes in Computer Science, pages 106–106, 1994.
38. G. Tandon and P. Chan. Learning Rules from System Call Arguments and Sequences for Anomaly Detection. In ICDM Workshop on Data Mining for Computer Security (DMSEC), pages 20–29, 2003.
39. G. Tandon, P. Chan, and D. Mitra. MORPHEUS: Motif Oriented Representations to Purge Hostile Events from Unlabeled Sequences. In Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pages 16–25, Washington DC, USA, 2004. ACM.
40. D. Turner, M. Fossi, E. Johnson, T. Mark, J. Blackbird, S. Entwise, M. K. Low, D. McKinney, and C. Wueest. Symantec Global Internet Security Threat Report – Trends for 2008. Technical Report XIV, Symantec Corporation, April 2009.
41. A. Valdes and K. Skinner. Adaptive, Model-based Monitoring for Cyber Attack Detection. In H. Debar, L. Me, and F. Wu, editors, Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID 2000), number 1907 in Lecture Notes in Computer Science, pages 80–92, Toulouse, France, October 2000. Springer-Verlag.
42. D. Wagner and D. Dean. Intrusion Detection via Static Analysis. In Proceedings of the IEEE Symposium on Security and Privacy (S&P 2001), pages 156–168, Oakland, CA, USA, 2001. IEEE Computer Society.
43. K. Wang, J. J. Parekh, and S. J. Stolfo. Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID 2006), Hamburg, GR, September 2006. Springer-Verlag.
44. K. Wang and S. J. Stolfo. Anomalous Payload-based Network Intrusion Detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID 2004). Springer-Verlag, September 2004.
45. R. Xu and D. Wunsch. Survey of clustering algorithms. IEEE Transactions on Neural Networks, 16(3):645–678, 2005.
46. R. H. Zakon. Hobbes’ Internet Timeline v8.2. http://www.zakon.org/robert/internet/timeline/, November 2006.
47. S. Zanero and S. M. Savaresi. Unsupervised learning techniques for an intrusion detection system. In Proceedings of the 2004 ACM Symposium on Applied Computing, pages 412–419. ACM Press, 2004.