A Modeling of Intrusion Detection Systems with Identification Capability

  • Pei-Te Chen
  • Benjamin Tseng
  • Chi-Sung Laih


In this paper, we first show that traditional IDSs cannot reach the minimal cost design from the auditing viewpoints. Then we propose the definition of design architecture of IDSIC (Intrusion Detection System with Identification Capability ). In IDSIC, its architecture consists of a new detection engine that can examine packet headers, which provide a separability of security auditors and hackers. With this architecture, we will reduce the cost of false alarms, either positive or negative false alarms.


Intrusion Detection System (IDS) Identification Capability fingerprint Security Auditor 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Anderson et al., 1995]
    D. Anderson, T. Frivold, and A. Valdes (1995). Next-generation Intrusion Detection Expert System (NIDES) A Summary. Technical Report SRI-CSL-95-07, SRI Computer Science Laboratory, May.Google Scholar
  2. [Denning, 1987]
    D. E. Denning (1987), An intrusion-detection model. IEEE Trans. on Software Enginering, vol. SE-13, no.2, pages 222V232, February.Google Scholar
  3. [Dean et al., 2001]
    D. Dean, M. Franklin, and A. Stubblefield (2001). An algebraic approach to ip traceback. In Network and Distributed System Security Symposium, NDSS '01, February.Google Scholar
  4. [Krawczyk et al., 1997]
    H. Krawczyk, M. Bellare, and R. Canetti (1997). HMAC: Keyed-Hashing for Message Authentication. Internet RFC 2104, February.Google Scholar
  5. [Cannady, 2000]
    J. Cannady (2000). An Adaptive Neural Network Approach to Intrusion Detection and Response. Ph.D Thesis, Nova Southeastern University.Google Scholar
  6. [Hochberg et al., 1993]
    J. Hochberg, K. Jackson, and C. Stallings et al. Nadir (1993): An automated system for detecting network intrusion and misuse. In Computers and Security, vol.12, no.3, pages 235–248, May.CrossRefGoogle Scholar
  7. [Heberlein et al., 1990]
    L. Heberlein, G. Dias, and K. Levitt (1990). A Network Security Monitor. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 296–304, May.Google Scholar
  8. [Bellare et al., 1996]
    M. Bellare, R. Canetti, and H. Krawczyk (1996). Message authentication using hash functions: The HMAC construction. In RSA Laboratories' CryptoBytes Vol. 2, No. 1, Spring.Google Scholar
  9. [Whitehurst, 1987]
    R. A. Whitehurst (1987). Expert systems in intrusion-detection: A case study. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, November.Google Scholar
  10. [Savage et al., 2000]
    S. Savage, D. Wetherall, A. Karlin, and T. Anderson (2000). Practical network support for IP traceback. In 2000 ACM SIG-COMM Conference, August.Google Scholar
  11. [Snapp et al., 1991]
    S. Snapp, J. Brentano, and G. Dias (1991). DIDS (Distributed Intrusion Detection System) — Motivation, Architecture, and An Early Prototype. In Proc., 14th National Computer Security Conference, Washington, DC, pages 167–176, October.Google Scholar
  12. [Fan et al., 2000]
    W. Fan, W. Lee, S. Stolfo, and M. Miller (2000). A multiple model cost-sensitive approach for intrusion detection. In Proc. Eleventh European Conference of Machine Learning, pages 148–156, Barcelona Spain, May.Google Scholar
  13. [Lee et al., 2000]
    W. Lee, M. Miller, and S. Stolfo (2000). Toward costsensitive modeling for intrusion detection. Technical Report CUCS-002-00, Computer Science.Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2005

Authors and Affiliations

  • Pei-Te Chen
    • 1
  • Benjamin Tseng
    • 2
  • Chi-Sung Laih
    • 1
  1. 1.Department of Electrical EngineeringNational Cheng Kung UniversityTaiwan
  2. 2.Department of Information ManagementHsing Kuo University of ManagementTaiwan

Personalised recommendations