Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems

  • Damiano Bolzoni
  • Sandro Etalle
  • Pieter H. Hartel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5758)


Anomaly-based intrusion detection systems are usually criticized because they lack a classification of attacks, thus security teams have to manually inspect any raised alert to classify it. We present a new approach, Panacea, to automatically and systematically classify attacks detected by an anomaly-based network intrusion detection system.


attack classification anomaly-based intrusion detection systems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ghosh, A., Schwartzbard, A.: A study in using neural networks for anomaly and misuse detection. In: SSYM 1999: Proc. 8th conference on USENIX Security Symposium, pp. 141–152. USENIX Association (1999)Google Scholar
  2. 2.
    Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: NDSS 2006: Proc. 13th ISOC Symposium on Network and Distributed Systems Security (2006)Google Scholar
  3. 3.
    Ning, P., Cui, Y., Reeves, D.: Constructing attack scenarios trough correlation of intrusion alerts. In: CCS 2002: Proc. 9th ACM Conference on Computer and Communication Security, pp. 245–254. ACM Press, New York (2002)Google Scholar
  4. 4.
    Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: CCS 2003: Proc. 10th ACM conference on Computer and Communications Security, pp. 200–209. ACM Press, New York (2003)Google Scholar
  7. 7.
    Valeur, F., Vigna, G., Kruegel, C., Kremmerer, R.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secur. Comput. 1(3), 146–169 (2004)CrossRefGoogle Scholar
  8. 8.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: LISA 1999: Proc. 13th USENIX Conference on System Administration, pp. 229–238. USENIX Association (1999)Google Scholar
  9. 9.
    Sourcefire: Snort Network Intrusion Detection System,
  10. 10.
    Damashek, M.: Gauging similarity with n-grams: Language-independent categorization of text. Science 267(5199), 843–848 (1995)CrossRefGoogle Scholar
  11. 11.
    Forrest, S., Hofmeyr, S.: A Sense of Self for Unix Processes. In: S&P 1996: Proc. 17th IEEE Symposium on Security and Privacy, pp. 120–128. IEEE Computer Society Press, Los Alamitos (2002)Google Scholar
  12. 12.
    Wang, K., Stolfo, S.: Anomalous Payload-Based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Wang, K., Parekh, J., Stolfo, S.: Anagram: a Content Anomaly Detector Resistant to Mimicry Attack. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Bloom, B.: Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13(7), 422–426 (1970)CrossRefzbMATHGoogle Scholar
  15. 15.
    Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Bolzoni, D., Crispo, B., Etalle, S.: ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. In: LISA 2007: Proc. 21st Large Installation System Administration Conference, pp. 141–152. USENIX Association (2007)Google Scholar
  17. 17.
    Meyer, D., Leisch, F., Hornik, K.: The support vector machine under test. Neurocomputing 55(1-2), 169–186 (2003)CrossRefGoogle Scholar
  18. 18.
    R Development Core Team: R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing,
  19. 19.
    Lee, W.: A data mining framework for constructing features and models for intrusion detection systems. PhD thesis, Columbia University, New York, NY, USA (1999)Google Scholar
  20. 20.
    Lee, W., Fan, W., Miller, M., Stolfo, S., Zadok, E.: Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10(1-2), 5–22 (2002)CrossRefGoogle Scholar
  21. 21.
    Vapnik, V., Lerner, A.: Pattern recognition using generalized portrait method. Automation and Remote Control 24 (1963)Google Scholar
  22. 22.
    Boser, B., Guyon, I., Vapnik, V.: A training algorithm for optimal margin classifiers. In: Proc. 5th Annual ACM Workshop on Computational Learning Theory, pp. 144–152. ACM Press, New York (1992)CrossRefGoogle Scholar
  23. 23.
    Cohen, W.: Fast effective rule induction. In: Proc. 12th International Conference on Machine Learning, pp. 115–123. Morgan Kaufmann, San Francisco (1995)Google Scholar
  24. 24.
    The University of Waikato: Weka 3: Data Mining Software in Java,
  25. 25.
    Howard, J.: An analysis of security incidents on the Internet 1989-1995. PhD thesis, Carnegie Mellon University, Pittsburgh, PA, USA (1998)Google Scholar
  26. 26.
    Hansman, S., Hunt, R.: A taxonomy of network and computer attacks. Computers & Security 24(1), 31–43 (2004)CrossRefGoogle Scholar
  27. 27.
    Lippmann, R., Cunningham, R., Fried, D., Garfinkel, S., Gorton, A., Graf, I., Kendall, K., McClung, D., Weber, D., Webster, S., W̃yschogrod, D., Zissman, M.: The 1998 DARPA/AFRL off-line intrusion detection evaluation. In: RAID 1998: Proc. 1st International Workshop on the Recent Advances in Intrusion Detection (1998)Google Scholar
  28. 28.
    Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks: The International Journal of Computer and Telecommunications Networking 34(4), 579–595 (2000)CrossRefGoogle Scholar
  29. 29.
  30. 30.
    Web Application Security Consortium: Web Security Threat Classification,
  31. 31.
    Tenable Network Security: Nessus Vulnerabilty Scanner,
  32. 32. Nikto web scanner,
  33. 33.
  34. 34.
    Bolzoni, D., Zambon, E., Etalle, S., Hartel, P.: POSEIDON: a 2-tier Anomaly-based Network Intrusion Detection System. In: IWIA 2006: Proc. 4th IEEE International Workshop on Information Assurance, pp. 144–156. IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  35. 35.
    Bolzoni, D., Etalle, S.: Boosting Web Intrusion Detection Systems by Inferring Positive Signatures. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 938–955. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. 36.
    Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: An approach for the anomaly-based detection of state violations in web applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  37. 37.
    Vigna, G., Robertson, W., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: CCS 2004: Proc. 11th ACM Conference on Computer and Communications Security, pp. 21–30. ACM Press, New York (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Damiano Bolzoni
    • 1
  • Sandro Etalle
    • 1
    • 2
  • Pieter H. Hartel
    • 1
  1. 1.University of TwenteEnschedeThe Netherlands
  2. 2.Eindhoven Technical UniversityThe Netherlands

Personalised recommendations