Using Behavior Knowledge Space and Temporal Information for Detecting Intrusions in Computer Networks
Pattern Recognition (PR) techniques have proven their ability for detecting malicious activities within network traffic. Systems based on multiple classifiers can further enforce detection capabilities by combining and correlating the results obtained by different sources.
An aspect often disregarded in PR approaches dealing with the intrusion detection problem is the use of temporal information. Indeed, an attack is typically carried out along a set of consecutive network packets; therefore, a PR system could improve its reliability by examining sequences of network connections before expressing a decision.
In this paper we present a system that uses a multiple classifier approach together with temporal information about the network packets to be classified. In order to improve classification reliability, we introduce the concept of rejection: instead of emitting an unreliable verdict, an ambiguously classified packet can be logged for further analysis.
The proposed system has been tested on a wide database made up of real network traffic traces.
Unable to display preview. Download preview PDF.
- 1.Vigna, G., Kemmerer, R.: Netstat: a network based intrusion detection system. Journal of Computer Security 7(1) (1999)Google Scholar
- 2.Axelsson, S.: Research in Intrusion Detection Systems: A Survey, TR 98-17, Chalmers University of Technology (1999)Google Scholar
- 3.Kumar, R., Spafford, E.H.: A Software Architecture to Support Misuse Intrusion Detection. In: Proceedings of the 18th National Information Security Conference, pp. 194–204 (1995)Google Scholar
- 4.Ghosh, A.K., Schwartzbard, A.: A Study in Using Neural Networks for Anomaly and Misuse Detection. In: Proc. 8’th USENIX Security Symposium, Washington DC, August 26-29 (1999)Google Scholar
- 5.Lane, T., Brodley, C.E.: Temporal Sequence learning and data reduction for anomaly detection. ACM Trans. on Inform. and System Security 2(3), 295–261 (1999)Google Scholar
- 7.Esposito, M., Mazzariello, C., Oliviero, F., Romano, S.P., Sansone, C.: Real Time Detection of Novel Attacks by Means of Data Mining Techniques. In: Proceedings of the 7th International Conference on Enterprise Information Systems, Miami (USA), May 24-28, pp. 120–127 (2005)Google Scholar
- 14.Ryan, J., Lin, M.J., Miikkulainen, R.: Intrusion detection with neural networks. In: Jordan, M., et al. (eds.) Advances in Neural Information Processing Systems 10, pp. 943–949. MIT Press, Cambridge (1998)Google Scholar
- 15.Labib, K., Vemuri, R.: NSOM: A real-time network-based intrusion detection system using self-organizing maps. Technical report, Dept. of Applied Science, University of California, Davis (2002)Google Scholar
- 17.Cohen, W.W., Singer, Y.: Simple, Fast, and Effective Rule Learner. In: Proc. of the Sixteenth National Conference on Artificial Intelligence and Eleventh Conference on Innovative Applications of Artificial Intelligence, Orlando, Florida, USA, July 18-22, pp. 335–342 (1999)Google Scholar
- 19.Cordella, L.P., Sansone, C., Tortorella, F., Vento, M., De Stefano, C.: Neural Network Classification Reliability: Problems and Applications. In: Image Processing and Pattern Recognition. Neural Network Systems Techniques and Applications, vol. 5, pp. 161–200. Academic Press, San Diego (1998)Google Scholar
- 20.Liu, Y., Chen, K., Liao, X., Zhang, W.: A genetic clustering method for intrusion detection. Pattern Recognition 37 (2004)Google Scholar
- 23.Mahoney, M.: A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic, PhD thesis, Florida Institute of Technology (2003)Google Scholar