poster

Free access

A methodology for designing accurate anomaly detection systems

Authors:

Kenneth L. Ingham,

Anil SomayajiAuthors Info & Claims

LANC '07: Proceedings of the 4th international IFIP/ACM Latin American conference on Networking

Pages 139 - 143

https://doi.org/10.1145/1384117.1384137

Published: 10 October 2007 Publication History

PDF eReader

Abstract

Anomaly detection systems have the potential to detect zero-day attacks. However, these systems can suffer from high rates of false positives and can be evaded through through mimicry attacks. The key to addressing both problems is careful control of model generalization. An anomaly detection system that undergeneralizes generates too many false positives, while one that overgeneralizes misses attacks. In this paper, we present a methodology for creating anomaly detection systems that make appropriate trade-offs regarding model precision and generalization. Specifically, we propose that systems be created by taking an appropriate, undergeneralizing data modeling method and extending it using data pre-processing generalization heuristics. To show the utility of our methodology, we show how it has been applied to the problem of detecting malicious web requests.

References

[1]

K. P. Anchor, J. B. Zydallis, G. H. Gunsch, and G. B. Lamont. Extending the computer defense immune system: Network intrusion detection with a multiobjective evolutionary programming approach. In Proceedings of ICARIS 2002: 1st International Conference on Artificial Immune Systems Conference, 2002.

Google Scholar

[2]

M. Damashek. Gauging similarity with n-grams: language-independent categorization of text. Science, 267(5199):843--848, 1995.

Crossref

Google Scholar

[3]

P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee. Polymorphic blending attacks. In USENIX-SS '06: Proceedings of the 15th conference on USENIX Security Symposium, pages 17--17, Berkeley, CA, USA, 2006. USENIX Association.

Digital Library

Google Scholar

[4]

S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff. A sense of self for Unix processes. In 1996 IEEE Symposium on Security and Privacy, 6--8 May 1996, Oakland, CA, USA, pages 120--128, Los Alamitos, CA, USA, 1996. IEEE Computer Society Press.

Digital Library

Google Scholar

[5]

K. L. Ingham. Anomaly Detection for HTTP Intrusion Detection: Algorithm Comparisons and the Effect of Generalization on Accuracy. PhD thesis, Department of Computer Science, University of New Mexico, Albuquerque, NM, 87131, 2007.

Google Scholar

[6]

K. L. Ingham and H. Inoue. Comparing anomaly detection techniques for HTTP. In Recent Advances in Intrusion Detection, 2007.

Digital Library

Google Scholar

[7]

K. L. Ingham, A. Somayaji, J. Burge, and S. Forrest. Learning DFA representations of HTTP for protecting web applications. Computer Networks, 51(5):1239--1255, 11 April 2007.

Digital Library

Google Scholar

[8]

C. Kruegel, G. Vigna, and W. Robertson. A multi-model approach to the detection of web-based attacks. Computer Networks, 48(5):717--738, 2005.

Digital Library

Google Scholar

[9]

Z. Li, A. Das, and J. Zhou. Model generalization and its implications on intrusion detection. In Applied Cryptography and Network Security, Third International Conference, ACNS 2005, New York, NY, USA, June 7--10, 2005, Proceedings, pages 222--237, 2005.

Digital Library

Google Scholar

[10]

W. Robertson, G. Vigna, C. Kruegel, and R. A. Kemmerer. Using generalization and characterization techniques in the anomaly-based detection of web attacks. In Network and Distributed System Security Symposium Conference Proceedings: 2006. Internet Society, 2006.

Google Scholar

[11]

K. Wang and S. J. Stolfo. Anomalous payload-based network intrusion detection. In Recent Advances in Intrusion Detection: 7th International Symposium, RAID 2004, Sophia Antipolis, France, September 15--17, 2004. Proceedings, volume 3224 of Lecture Notes in Computer Science, pages 203--222. Springer, 2004.

Crossref

Google Scholar

Cited By

View all

Yash Sharma Jyoti Chaudhary Vimmi Malhotra (2023)Intrusion Prevention System for Website AttacksInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-9492(183-187)Online publication date: 26-Apr-2023
https://doi.org/10.48175/IJARSCT-9492
Mudzingwa DAgrawal R(2012)A study of methodologies used in intrusion detection and prevention systems (IDPS)2012 Proceedings of IEEE Southeastcon10.1109/SECon.2012.6197080(1-6)Online publication date: Mar-2012
https://doi.org/10.1109/SECon.2012.6197080
Agrawal RCai CGupta APaul RSalih R(2011)BANBADNetwork Security, Administration and Management10.4018/978-1-60960-777-7.ch013(253-276)Online publication date: 2011
https://doi.org/10.4018/978-1-60960-777-7.ch013
Show More Cited By

Index Terms

A methodology for designing accurate anomaly detection systems
1. Software and its engineering

Recommendations

An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...
Specification-based anomaly detection: a new approach for detecting network intrusions
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

Unlike signature or misuse based intrusion detection techniques, anomaly detection is capable of detecting novel attacks. However, the use of anomaly detection in practice is hampered by a high rate of false alarms. Specification-based techniques have ...
Program Anomaly Detection: Methodology and Practices
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

This tutorial will present an overview of program anomaly detection, which analyzes normal program behaviors and discovers aberrant executions caused by attacks, misconfigurations, program bugs, and unusual usage patterns. It was first introduced as an ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

LANC '07: Proceedings of the 4th international IFIP/ACM Latin American conference on Networking

October 2007

157 pages

ISBN:9781595939074

DOI:10.1145/1384117

General Chair:
Ernst L. Leiss
U. of Houston

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Poster

Funding Sources

National Science Foundation

Conference

LANC07

Sponsor:

LANC07: IFIP / ACM Latin American Networking Conference 2007

October 10 - 11, 2007

San José, Costa Rica

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
353
Total Downloads

Downloads (Last 12 months)64
Downloads (Last 6 weeks)15

Reflects downloads up to 17 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Yash Sharma Jyoti Chaudhary Vimmi Malhotra (2023)Intrusion Prevention System for Website AttacksInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-9492(183-187)Online publication date: 26-Apr-2023
https://doi.org/10.48175/IJARSCT-9492
Mudzingwa DAgrawal R(2012)A study of methodologies used in intrusion detection and prevention systems (IDPS)2012 Proceedings of IEEE Southeastcon10.1109/SECon.2012.6197080(1-6)Online publication date: Mar-2012
https://doi.org/10.1109/SECon.2012.6197080
Agrawal RCai CGupta APaul RSalih R(2011)BANBADNetwork Security, Administration and Management10.4018/978-1-60960-777-7.ch013(253-276)Online publication date: 2011
https://doi.org/10.4018/978-1-60960-777-7.ch013
Eiland EEvans SMarkham TBarnett BImpson JSteinbrecher E(2008)Network Intrusion Detection: Using MDLcompress for deep packet inspectionMILCOM 2008 - 2008 IEEE Military Communications Conference10.1109/MILCOM.2008.4753180(1-7)Online publication date: Nov-2008
https://doi.org/10.1109/MILCOM.2008.4753180

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

Specification-based anomaly detection: a new approach for detecting network intrusions

Program Anomaly Detection: Methodology and Practices