N3: A Geometrical Approach for Network Intrusion Detection at the Application Layer

  • Juan M. Estévez-Tapiador
  • Pedro García-Teodoro
  • Jesús E. Díaz-Verdejo
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3043)

Abstract

In this work, a novel approach for the purpose of anomaly-based network intrusion detection at the application layer is presented. The problem of identifying anomalous payloads is addressed by using a technique based on the modelling of short sequences of adjoining bytes in the requests destined to a given service. Upon this theoretical framework, we propose an algorithm that assigns an anomaly score to each service request on the basis of its similarity with a previously established model of normality. The introduced approach has been evaluated by considering datasets composed of HTTP and DNS traffic. Thus, a large amount of attacks related with such services has been gathered, and detailed experimental results concerning the detection capability of the proposed system are shown. The experiments demonstrate that our approach yields a very high detection rate with a low level of false alarms.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Landwehr, C.E.: Computer Security. International Journal on Information Security 1(1), 3–13 (2001)MATHGoogle Scholar
  2. 2.
    Project OASIS: Organically Assured and Survivable Information System, Available online at: http://www.tolerantsystems.org/
  3. 3.
    Project MAFTIA: Malicious and Accidental Fault Tolerance for Internet Applications, Available online at: http://www.newcastle.research.ec.org/maftia/index.html
  4. 4.
    McHugh, J.: Intrusion and Intrusion Detection. International Journal on Information Security 1(1), 14–35 (2001)MATHGoogle Scholar
  5. 5.
    Kemmerer, R.A., Vigna, G.: Intrusion Detection: A Brief History and Overview. IEEE Computer 35(4), 27–30 (2002)Google Scholar
  6. 6.
    Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E.: State of the Practice of Intrusion Detection Technologies. Technical Report CMU/SEI- 99-TR-028, Software Engineering Institute, Carnegie Mellon (January 2000) Google Scholar
  7. 7.
    Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy. Technical Report 99-15, Department of Computer Engineering, Chalmers University of Technology, Goteborg Google Scholar
  8. 8.
    Krügel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Proceedings of the 17th ACM Symposium on Applied Computing (SAC), Madrid (Spain), pp. 201–208 (2002)Google Scholar
  9. 9.
    Mahoney, M.V., Chan, P.K.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: Proceedings of the 8th International Conference on Knowledge Discovery and Data Mining, pp. 376–385 (2002)Google Scholar
  10. 10.
    Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. Florida Institute of Technology Technical Report CS-2003-02 (2003) Google Scholar
  11. 11.
    Mahoney, M.V.: Network Traffic Anomaly Detection Based on Packet Bytes. In: Proceedings of the 18th ACM Symposium on Applied Computing (SAC), Melbourne, FL (USA), pp. 346–350 (2003)Google Scholar
  12. 12.
    Estevez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Stochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection. In: Proceedings of the 1st IEEE International Workshop on Information Assurance (IWIA 2003), Darmstadt (Germany), March 2003, pp. 3–12 (2003)Google Scholar
  13. 13.
    Gusfield, D.: Algorithms on Strings, Trees, and Sequences: Computer Science and Computational Biology. Cambridge University Press, Cambridge (1997) ISBN: 0521585198Google Scholar
  14. 14.
    Lippmann, R., Haines, J.W., Fried, D.J., Corba, J., Das, K.: The 1999 DARPA Off-line Intrusion Detection Evaluation. Computer Networks 34(4), 579–595 (2000)CrossRefGoogle Scholar
  15. 15.
    McHugh, J.: Testing Intrusion Detection Systems: A Critique to the 1998 and 1999 DARPA Intrusion Detection Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and Systems Security 3(4), 262–294 (2000)CrossRefGoogle Scholar
  16. 16.
    arachNIDS: Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems, Available online at: http://www.whitehats.com/ids

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Juan M. Estévez-Tapiador
    • 1
  • Pedro García-Teodoro
    • 1
  • Jesús E. Díaz-Verdejo
    • 1
  1. 1.Research Group on Signals, Telematics and Communications, Department of Electronics and Computer TechnologyUniversity of Granada 

Personalised recommendations