Advertisement

Case-Based Anomaly Detection

  • Alessandro Micarelli
  • Giuseppe Sansonetti
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4626)

Abstract

Computer and network security is an extremely active and productive research area. Scientists from all over the world address the pertaining issues, using different types of models and methods. In this article we illustrate a case-based approach where the normal user-computer interaction is read like snapshots regarding a reduced number of instances of the same application, attack-free and sufficiently different from each other. The generic case representation is obtained by interpreting in numeric form the arguments and parameters of system calls deemed potentially dangerous. The similarity measure between a new input case and the ones stored in the case library is achieved through the calculation of the Earth Mover’s Distance between the corresponding feature distributions, obtained by means of cluster analysis.

Keywords

Intrusion Detection Anomaly Detection System Call Intrusion Detection System Case Library 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abraham, T.: IDDM: Intrusion Detection using Data Mining Techniques. Technical Report DSTO-GD-0286, DSTO Electronics and Surveillance Research Laboratory (May 2001)Google Scholar
  2. 2.
    Axelsson, S., Lindqvist, U., Gustafson, U., Jonsson, E.: An Approach to UNIX Security Logging. In: Proceedings of the 21st NIST-NCSC National Information Systems Security Conference, Crystal City, VA, October 1998, pp. 62–75 (1998)Google Scholar
  3. 3.
    Barbara, D., Wu, N., Jajodia, S.: Detecting Novel Network Intrusions using Bayes Estimators. In: Proceedings of the First SIAM Conference on Data Mining, Chicago, IL (April 2001)Google Scholar
  4. 4.
    Couch, A.: Visualizing Huge Tracefiles with Xscal. In: LISA 1996. 10th Systems Administration Conference, pp. 51–58. Chicago, IL, October 1996 (1996)Google Scholar
  5. 5.
    Debar, H., Becker, M., Siboni, D.: A Neural Network Component for an Intrusion Detection System. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1992, pp. 240–250. IEEE Computer Society Press, Los Alamitos (1992)CrossRefGoogle Scholar
  6. 6.
    Denning, D.: An Intrusion Detection Model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)CrossRefGoogle Scholar
  7. 7.
    Dowell, C., Ramstedt, P.: The ComputerWatch Data Reduction Tool. In: Proceedings of the 13th National Computer Security Conference, Washington, DC, October 1990, pp. 99–108 (1990)Google Scholar
  8. 8.
    Erbacher, R.: Visual Traffic Monitoring and Evaluation. In: Proceedings of the Second Conference on Internet Performance and Control of Network Systems, Denver, CO, August 2001, pp. 153–160 (2001)Google Scholar
  9. 9.
    Esmaili, M., Safavi-Naini, R., Balachandran, B.M.: AUTOGUARD: A Continuous Case-Based Intrusion Detection System. In: Proceedings of the 20th Australasian Computer Science Conference (1997)Google Scholar
  10. 10.
    Smeulders, A.W., et al.: Content-Based Image Retrieval at the End of the Early Years. IEEE Transactions on Pattern Analysis and Machine Intelligence 22(12), 1349–1380 (2000)CrossRefGoogle Scholar
  11. 11.
    Nyarko, K., et al.: Network Intrusion Visualization with NIVA, an Intrusion Detection Visual Analyzer with Haptic Integration. In: Proceedings of the 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems, Orlando, FL (2002)Google Scholar
  12. 12.
    Esmaili, M., et al.: Case-Based Reasoning for Intrusion Detection. In: Proceedings of the 12th Annual Computer Security Applications Conference, San Diego, CA (1996)Google Scholar
  13. 13.
    Forrest, S.: A Sense of Self for UNIX Processes. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, pp. 120–198. IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
  14. 14.
    Forsyth, D., Ponce, J.: Computer Vision: A Modern Approach. Prentice-Hall, Upper Saddle River, NJ (2003)Google Scholar
  15. 15.
    Frincke, D., Tobin, D., McConnell, J., Marconi, J., Polla, D.: A Framework for Cooperative Intrusion Detection. In: Proceedings of the 21st National Information Systems Security Conference, Crystal City, VA, October 1998, pp. 361–373 (1998)Google Scholar
  16. 16.
    Girardin, L., Brodbeck, D.: A Visual Approach for Monitoring Logs. In: LISA XII. Proceedings of the Second Systems Administration Conference, Boston, MA, October 1998, pp. 299–308 (1998)Google Scholar
  17. 17.
    Hughes, D.: Using Visualization in System and Network Administration. In: LISA ’96. Proceedings of the 10th Systems Administration Conference, Chicago, IL, October 1996, pp. 59–66 (1996)Google Scholar
  18. 18.
    Javitz, H.S., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1991, IEEE Computer Society Press, Los Alamitos (1991)Google Scholar
  19. 19.
    Karam, G.: Visualization using Timelines. In: Proceedings of the International Symposium on Software Testing and Analysis, Seattle, WA (August 1994)Google Scholar
  20. 20.
    Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)Google Scholar
  21. 21.
    MIT Lincoln Laboratory. DARPA Intrusion Detection Evaluation Data Set (1999), http://www.ll.mit.edu/IST/ideval
  22. 22.
    Lunt, T.: Real-time Intrusion Detection. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, April 1988, IEEE Computer Society Press, Los Alamitos (1988)Google Scholar
  23. 23.
    McHugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transaction on Information and System Security 3(4) (2000)Google Scholar
  24. 24.
    Mizoguchi, F.: Anomaly Detection Using Visualization and Machine Learning. In: Proceedings of the 9th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000), Gaithersburg, MD, pp. 165–170 (March 2000)Google Scholar
  25. 25.
    Noel, S., Wijesekera, D., Youman, C.: Applications of Data Mining in Computer Security. In: chapter Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt, pp. 2–25. Kluwer Academic Publisher, Boston, MA (2002)Google Scholar
  26. 26.
    Porras, P., Neumann, P.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proceedings of the 20th National Information Systems Security Conference, Baltimore, MA (October 1997)Google Scholar
  27. 27.
    Rubner, Y., Tomasi, C., Guibas, L.J.: A Metric for Distributions with Applications to Image Databases. In: Proceedings of the IEEE International Conference on Computer Vision, Bombay, India, pp. 59–66 (January 1998)Google Scholar
  28. 28.
    Rubner, Y., Tomasi, C., Guibas, L.J.: The Earth Mover’s Distance as a Metric for Image Retrieval. International Journal of Computer Vision 28(40), 99–121 (2000)CrossRefGoogle Scholar
  29. 29.
    Sarle, W.S.: Neural Networks and Statistical Models. In: Proceedings of the Nineteenth Annual SAS Users Group International Conference, Cary, NC, pp. 1538–1550 (April 1994)Google Scholar
  30. 30.
    Shapiro, L.G., Stockman, G.C.: Computer Vision. Prentice-Hall, Inc., Upper Saddle River, NJ (2001)Google Scholar
  31. 31.
    Snapp, S.: DIDS (Distributed Intrusion Detection System): Motivation, Architecture and An Early Prototype. In: Proceedings of the National Information Systems Security Conference, Washington, D.C., pp. 167–176 (October 1991)Google Scholar
  32. 32.
    Takada, T., Koike, H.: Tudumi: Information Visualization System for Monitoring and Auditing Computer Logs. In: Proceedings of the 6th International Conference on Information Visualization (IV 2002), London, England, pp. 570–576 (July 2002)Google Scholar
  33. 33.
    Tan, K., Killourhy, K., Maxion, R.: Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, Springer, Heidelberg (2002)CrossRefGoogle Scholar
  34. 34.
    Tan, K., Maxion, R.: ”Why 6?” Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector. In: Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA, pp. 188–202 (May 2002)Google Scholar
  35. 35.
    Vaccaro, H., Liepins, G.: Detection of Anomalous Computer Session Activity. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, pp. 208–209 (May 1989)Google Scholar
  36. 36.
    Varner, P.E., Knight, J.C.: Security Monitoring, Visualization, and System Survivability. In: 4th Information Survivability Workshop (ISW-2001/2002), Vancouver, Canada (March 2002)Google Scholar
  37. 37.
    Veltkamp, R.C., Tanase, M.: Content-Based Image Retrieval Systems: A Survey. Technical Report 2000-34, UU-CS, Utrecht, Holland (October 2000)Google Scholar
  38. 38.
    Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, pp. 40–47 (2001)Google Scholar
  39. 39.
    Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, D.C., pp. 255–264 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Alessandro Micarelli
    • 1
  • Giuseppe Sansonetti
    • 1
  1. 1.Department of Computer Science and Automation, Artificial Intelligence Laboratory, Roma Tre University, Via della Vasca Navale, 79, 00146 RomeItaly

Personalised recommendations