Results 1 - 10
of
223
Anomalous payload-based network intrusion detection, in: RAID Symposium,
, 2004
"... Abstract. We present a payload-based anomaly detector, we call PAYL, for intrusion detection. PAYL models the normal application payload of network traffic in a fully automatic, unsupervised and very effecient fashion. We first compute during a training phase a profile byte frequency distribution a ..."
Abstract
-
Cited by 257 (14 self)
- Add to MetaCart
(Show Context)
Abstract. We present a payload-based anomaly detector, we call PAYL, for intrusion detection. PAYL models the normal application payload of network traffic in a fully automatic, unsupervised and very effecient fashion. We first compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port. We then use Mahalanobis distance during the detection phase to calculate the similarity of new data against the pre-computed profile. The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold. We demonstrate the surprising effectiveness of the method on the 1999 DARPA IDS dataset and a live dataset we collected on the Columbia CS department network. In once case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.
Finding frequent patterns in a large sparse graph
- SIAM Data Mining Conference
, 2004
"... This paper presents two algorithms based on the horizontal and vertical pattern discovery paradigms that find the connected subgraphs that have a sufficient number of edge-disjoint embeddings in a single large undirected labeled sparse graph. These algorithms use three different methods to determine ..."
Abstract
-
Cited by 130 (4 self)
- Add to MetaCart
(Show Context)
This paper presents two algorithms based on the horizontal and vertical pattern discovery paradigms that find the connected subgraphs that have a sufficient number of edge-disjoint embeddings in a single large undirected labeled sparse graph. These algorithms use three different methods to determine the number of the edge-disjoint embeddings of a subgraph that are based on approximate and exact maximum independent set computations and use it to prune infrequent subgraphs. Experimental evaluation on real datasets from various domains show that both algorithms achieve good performance, scale well to sparse input graphs with more than 100,000 vertices, and significantly outperform a previously developed algorithm.
Clustering Intrusion Detection Alarms to Support Root Cause Analysis
- ACM Transactions on Information and System Security
, 2003
"... It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. This paper presents a new approach for handling intrusion detection alarms more efficiently. Central to this approach is the notion that each alarm occurs for a reaso ..."
Abstract
-
Cited by 99 (0 self)
- Add to MetaCart
It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. This paper presents a new approach for handling intrusion detection alarms more efficiently. Central to this approach is the notion that each alarm occurs for a reason, which is referred to as the alarm’s root causes. This paper observes that a few dozens of rather persistent root causes generally account for over 90 % of the alarms that an intrusion detection system triggers. Therefore, we argue that alarms should be handled by identifying and removing the most predominant and persistent root causes. To make this paradigm practicable, we propose a novel alarm-clustering method that supports the human analyst in identifying root causes. We present experiments with real-world intrusion detection alarms to show how alarm clustering helped us identify root causes. Moreover, we show that the alarm load decreases quite substantially if the identified root causes are eliminated so that they can no longer trigger alarms in the future.
Mining Intrusion Detection Alarms for Actionable Knowledge
- In The 8th ACM International Conference on Knowledge Discovery and Data Mining
, 2002
"... In response to attacks against enterprise networks,administrators increasingly deploy intrusion detection systems. These systems monitor hosts,networks,and other resources for signs of security violations.The use of intrusion detection has given rise to another difficult problem,namely the handling ..."
Abstract
-
Cited by 81 (1 self)
- Add to MetaCart
In response to attacks against enterprise networks,administrators increasingly deploy intrusion detection systems. These systems monitor hosts,networks,and other resources for signs of security violations.The use of intrusion detection has given rise to another difficult problem,namely the handling of a generally large number of alarms.In this paper,we mine historical alarms to learn how future alarms can be handled more efficiently.First,we investigate episode rules with respect to their suitability in this approach. We report the difficulties encountered and the unexpected in sights gained.In addition,we introduce a new conceptual clustering technique,and use it in extensive experiments with real-world data to show that intrusion detection alarms can be handled efficiently by using previously mined knowledge.
Monitoring and Early Detection for Internet Worms
- IEEE/ACM Transactions on Networking
"... After several Internet-scale worm incidents in recent years, it is clear that a simple self-propagating worm can quickly spread across the Internet and cause severe damage to our society. Facing this great security threat, we must build an early detection system to detect the presence of a worm as q ..."
Abstract
-
Cited by 66 (2 self)
- Add to MetaCart
(Show Context)
After several Internet-scale worm incidents in recent years, it is clear that a simple self-propagating worm can quickly spread across the Internet and cause severe damage to our society. Facing this great security threat, we must build an early detection system to detect the presence of a worm as quickly as possible in order to give people enough time for counteractions. In this paper, we first present an Internet worm monitoring system. Then based on the idea of "detecting the trend, not the burst" of monitored illegitimate traffic, we present a non-threshold based "trend detection" methodology to detect a worm at its early stage by using Kalman filter estimation. In addition, for uniform scan worms such as Code Red and Slammer, we can effectively predict the overall vulnerable population size, and estimate accurately how many computers are really infected in the global Internet based on the biased monitored data. For monitoring of non-uniform scan worms such as Blaster, we show that the address space covered by a monitoring system should be as distributed as possible.
LAD: Localization anomaly detection for wireless sensor networks
- 886, 2006, special Issue 19th International Parallel and Distributed Processing Symposium - IPDPS
, 2005
"... Abstract — In wireless sensor networks (WSNs), sensors ’ locations play a critical role in many applications. Having a GPS receiver on every sensor node is costly. In the past, a number of location discovery (localization) schemes have been proposed. Most of these schemes share a common feature: the ..."
Abstract
-
Cited by 57 (5 self)
- Add to MetaCart
(Show Context)
Abstract — In wireless sensor networks (WSNs), sensors ’ locations play a critical role in many applications. Having a GPS receiver on every sensor node is costly. In the past, a number of location discovery (localization) schemes have been proposed. Most of these schemes share a common feature: they use some special nodes, called beacon nodes, which are assumed to know their own locations (e.g., through GPS receivers or manual configuration). Other sensors discover their locations based on the reference information provided by these beacon nodes. Most of the beacon-based localization schemes assume a benign environment, where all beacon nodes are supposed to provide correct reference information. However, when the sensor networks are deployed in a hostile environment, where beacon nodes can be compromised, such an assumption does not hold anymore. In this paper, we propose a general scheme to detect localization anomalies that are caused by adversaries. Our scheme is independent from the localization schemes. We formulate the problem as an anomaly intrusion detection problem, and we propose a number of ways to detect localization anomalies. We have conducted simulations to evaluate the performance of our scheme, including the false positive rates, the detection rates, and the resilience to node compromises. I.
Detection and explanation of anomalous activities: representing activities as bags of event n-grams
- IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR
, 2005
"... We present a novel representation and method for detecting and explaining anomalous activities in a video stream. Drawing from natural language processing, we introduce a representation of activities as bags of event n-grams, where we analyze the global structural information of activities using the ..."
Abstract
-
Cited by 51 (7 self)
- Add to MetaCart
(Show Context)
We present a novel representation and method for detecting and explaining anomalous activities in a video stream. Drawing from natural language processing, we introduce a representation of activities as bags of event n-grams, where we analyze the global structural information of activities using their local event statistics. We demonstrate how maximal cliques in an undirected edge-weighted graph of activities, can be used in an unsupervised manner, to discover regular sub-classes of an activity class. Based on these discovered sub-classes, we formulate a definition of anomalous activities and present a way to detect them. Finally, we characterize each discovered sub-class in terms of its “most representative member, ” and present an informationtheoretic method to explain the detected anomalies in a human-interpretable form. 1. Introduction and Previous
Fusion of multiple classifiers for intrusion detection in computer networks
- Pattern Recognition Letters
, 2003
"... The security of computer networks plays a strategic role in modern computer systems. In order to enforce high protection levels against threats, a number of software tools have been currently developed. Intrusion Detection Systems aim at detecting intruders who elude “first line ” protection. In thi ..."
Abstract
-
Cited by 42 (6 self)
- Add to MetaCart
(Show Context)
The security of computer networks plays a strategic role in modern computer systems. In order to enforce high protection levels against threats, a number of software tools have been currently developed. Intrusion Detection Systems aim at detecting intruders who elude “first line ” protection. In this paper, a pattern recognition approach to network intrusion detection based on the fusion of multiple classifiers is proposed. Five decision fusion methods are as-sessed by experiments and their performances compared. The potentialities of classifier fu-sion for the development of effective intrusion detection systems are evaluated and discussed.
Learning intrusion detection: supervised or unsupervised?
- IN: IMAGE ANALYSIS AND PROCESSING, PROC. OF 13TH ICIAP CONFERENCE. (2005) 50–57
, 2005
"... Application and development of specialized machine learning techniques is gaining increasing attention in the intrusion detection community. A variety of learning techniques proposed for different intrusion detection problems can be roughly classified into two broad categories: supervised (classifi ..."
Abstract
-
Cited by 34 (1 self)
- Add to MetaCart
(Show Context)
Application and development of specialized machine learning techniques is gaining increasing attention in the intrusion detection community. A variety of learning techniques proposed for different intrusion detection problems can be roughly classified into two broad categories: supervised (classification) and unsupervised (anomaly detection and clustering). In this contribution we develop an experimental framework for comparative analysis of both kinds of learning techniques. In our framework we cast unsupervised techniques into a special case of classification, for which training and model selection can be performed by means of ROC analysis. We then investigate both kinds of learning techniques with respect to their detection accuracy and ability to detect unknown attacks.
