Journal of Intelligent Information Systems

, Volume 42, Issue 1, pp 133–153 | Cite as

Human perspective to anomaly detection for cybersecurity

  • Song Chen
  • Vandana P. Janeja


Traditionally signature-based network Intrusion Detection Systems (IDS) rely on inputs from domain experts and can only identify the attacks if they occur as individual event. IDS generate large number of alerts and it becomes very difficult for human users to go through each message. Previous researches have proposed analytics based approaches to analyze IDS alert patterns based on anomaly detection models, multi-steps models or probabilistic approaches. However, due to the complexities of network intrusions, it is impossible to develop all possible attack patterns or to avoid false positives. With the advance in technologies and popularity of networks in our daily life, it is becoming more and more difficult to detect network intrusions. However, no matter how rapid the technologies change, the human behaviors behind the cyber attacks stay relatively constant. This provides us an opportunity to develop an improved system to detect the unusual cyber attacks. In this paper, we developed four network intrusion models based on consideration of human factors. We then tested these models on ITOC Cyber Defense Competition (CDX) 2009 data. Our results are encouraging. These Models are not only able to recognize most network attacks identified by SNORT log alerts, they are also able to distinguish the non-attack network traffic that was potentially missed by SNORT as indicated by ground truth validation of the data.


Cybersecurity Human factors Data mining Pattern discovery 


  1. Anwar, F., Anwar, Z., et al. (2011). Digital forensics for eucalyptus. In Frontiers of Information Technology (FIT), 2011 (pp. 110–116). IEEE.Google Scholar
  2. Cheung, S., Lindqvist, U., Fong, M.W. (2003). Modeling multistep cyber attacks for scenario recognition. In DARPA information survivability conference and exposition, 2003. Proceedings (vol. 1, pp. 284–292). IEEE.Google Scholar
  3. Cuppens, F., & Miège, A. (2002). Alert correlation in a cooperative intrusion detection framework. In 2002 IEEE symposium on security and privacy, 2002. Proceedings (pp. 202–215). IEEE.Google Scholar
  4. Denning, D.E. (1987). An intrusion-detection model. IEEE Transactions on Software Engineering, SE-13(2), 222–232.CrossRefGoogle Scholar
  5. Dey, S., Janeja, V.P., Gangopadhyay, A. (2009). Temporal neighborhood discovery through unequal depth binning. In IEEE International Conference on Data Mining (ICDM’09).Google Scholar
  6. Dodge Jr, R.C., & Wilson, T. (2003). Network traffic analysis from the cyber defense exercise. In IEEE international conference on systems, man and cybernetics, 2003 (vol. 5, pp. 4317–4321). IEEE.Google Scholar
  7. Fanelli, R. (2010). The value of competition. SC Magazine.Google Scholar
  8. Kim, S.J., & Hong, S. (2011). Study on the development of early warning model for cyber attack. In 2011 International Conference on Information Science and Applications (ICISA) (pp. 1–8). IEEE.Google Scholar
  9. Liu, Z., Wang, C., Chen, S. (2008). Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling. In International conference on information security and assurance, 2008. ISA 2008 (pp. 214–219). IEEE.Google Scholar
  10. Miles, W. (2001). Hack proofing sun solaris 8—protect your solaris network from attack (1st ed., pp. 83–85, 257). New York: Syngress.Google Scholar
  11. Namayanja, J.M., & Janeja, V.P. (2013). Discovery of persistent threat structures through temporal and geo-spatial characterization in evolving networks. In IEEE Intelligence and Security Informatics (ISI).Google Scholar
  12. Nguyen, H.D., Gutta, S., Cheng, Q. (2010). An active distributed approach for cyber attack detection. In 2010 conference record of the forty fourth asilomar conference on signals, systems and computers (ASILOMAR) (pp. 1540–1544). IEEE.Google Scholar
  13. Ning, P., Cui, Y., Reeves, D.S., Xu, D. (2004). Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security (TISSEC), 7(2), 274–318.CrossRefGoogle Scholar
  14. Orebaugh, A.D., Biles, S., Babbin, J. (2005). Snort cookbook. O’Reilly Media, Inc.Google Scholar
  15. Rehman, R.U. (2003). Intrusion detection systems with Snort: Advanced IDS techniques using Snort, Apache, MySQL, PHP, and ACID. Prentice Hall PTR.Google Scholar
  16. Roesch, M., & Green, C. (2003). Snort users manual 2.9.3. (pp. 1–2, 179–180).Google Scholar
  17. Sangster, B., O’Connor, T.J., Cook, T., Fanelli, R., Dean, E., Adams, W.J., Morrell, C., Conti, G. (2009). Toward instrumenting network warfare competitions to generate labeled datasets. In Proceedings of the 2nd conference on cyber security experimentation and test (pp. 9–9). USENIX Association.Google Scholar
  18. Snort (software) (2013). ID: 551979534.Google Scholar
  19. Valdes, A., & Skinner, K. (2001). Probabilistic alert correlation. In Recent advances in intrusion detection (pp. 54–68). Springer.Google Scholar
  20. Youssef, A., & Emam, A. (2012). Network intrusion detection using data mining and network behaviour analysis. International Journal of Computer Science & Information Technology, 3.6, 87–98.Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.University of MarylandBaltimore CountyUSA

Personalised recommendations