Managing Cyber Threats pp 19-78

Part of the Massive Computing book series (MACO, volume 5) | Cite as

Intrusion Detection: A Survey

  • Aleksandar Lazarevic
  • Vipin Kumar
  • Jaideep Srivastava

Abstract

This chapter provides the overview of the state of the art in intrusion detection research. Intrusion detection systems are software and/or hardware components that monitor computer systems and analyze events occurring in them for signs of intrusions. Due to widespread diversity and complexity of computer infrastructures, it is difficult to provide a completely secure computer system. Therefore, there are numerous security systems and intrusion detection systems that address different aspects of computer security. This chapter first provides taxonomy of computer intrusions, along with brief descriptions of major computer attack categories. Second, a common architecture of intrusion detection systems and their basic characteristics are presented. Third, taxonomy of intrusion detection systems based on five criteria (information source, analysis strategy, time aspects, architecture, response) is given. Finally, intrusion detection systems are classified according to each of these categories and the most representative research prototypes are briefly described.

Keywords

intrusion detection taxonomy intrusion detection systems data mining 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    T. Abraham, IDDM: Intrusion Detection Using Data Mining Techniques, DSTO Electronics and Surveillance Research Laboratory, Department of Defense, Australia Technical Report DSTO-GD-0286, 2001.Google Scholar
  2. [2]
    C.C. Aggarwal and P. Yu, Outlier Detection for High Dimensional Data, In Proceedings of the ACM SIGMOD International Conference on Management of Data, Santa BArbara, CA, May 2001.Google Scholar
  3. [3]
    A. AirDefense, http://www.airdefense.net/products/index.html, 2004.Google Scholar
  4. [4]
    J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, E. Stoner, J. Ellis, E. Hayes, J. Marella and B. Willke, State of the Practice of Intrusion Detection Technologies., Carnegie Mellon University, Pittsburgh, PA Technical Report CMU/SEI-99-TR-028, 1999.Google Scholar
  5. [5]
    E. Amoroso, Fundamentals of Computer Security Technology, Prentice-Hall PTR, 1994.Google Scholar
  6. [6]
    D. Anderson, T. Lunt, H. Javitz, A. Tamaru and A. Valdes, Detecting Unusual Program Behavior Using the Statistical Component of the Next-Generation Intrusion Detection Expert System (NIDES), Computer Science Laboratory, SRI International, Menlo Park, CA Technical Report SRI-CSL-95-06.Google Scholar
  7. [7]
    J.P. Anderson, Computer Security Threat Monitoring and Surveillance, James P. Anderson Co., Box 42, Fort Washington, PA 19034 Technical Report Contract 79F296400, April 1980.Google Scholar
  8. [8]
    Arbor Networks, Intelligent Network Management with Peakflow Traffic, http://www.arbornetworks.com/products_sp.php, 2003.Google Scholar
  9. [9]
    ArcSight, Enterprise Security Management Software, http://www.arcsight.com/.Google Scholar
  10. [10]
    M. Asaka, S. Okazawa, A. Taguchi and S. Goto, A Method of Tracing Intruders by Use of Mobile Agents, In Proceedings of the 9th Annual Conference of the Internet Society (INET’99), San Jose, CA, June 1999.Google Scholar
  11. [11]
    T. Aslam, A Taxonomy of Security Faults in the UNIX Operating System, Purdue University Master’s thesis, August 1995.Google Scholar
  12. [12]
    C.R. Attanasio, P.W. Markstein and R.J. Phillips, Penetrating an Operating System: A Study of VM/370 Integrity, IBM System Journal, vol. 15,1, pp. 102–116, 1976.CrossRefGoogle Scholar
  13. [13]
    S. Axelsson, Intrusion Detection Systems: A Survey and Taxonomy, Dept. of Computer Engineering, Chalmers University Technical Report 99–15, March 2000.Google Scholar
  14. [14]
    AXENT Technologies, Inc, NetProwler-Advanced Network Intrusion Detection, available online at:, http.//www.axent.com/iti/netprowler/idtk_ds_word_l.html, 1999.Google Scholar
  15. [15]
    R. Bace and P. Mell, NIST Special Publication on Intrusion Detection Systems, 2001.Google Scholar
  16. [16]
    D. Barbara, N. Wu and S. Jajodia, Detecting Novel Network Intrusions Using Bayes Estimators, In Proceedings of the First SIAM Conference on Data Mining, Chicago, IL, April 2001.Google Scholar
  17. [17]
    V. Barnett and T. Lewis, Outliers in Statistical Data. New York, NY, John Wiley and Sons, 1994.MATHGoogle Scholar
  18. [18]
    J. Barrus and N. Rowe, A Distributed Autonomous-Agent Network-Intrusion Detection And Response System, In Proceedings of the Command and Control Research and Technology Symposium, Monterey, CA, 577–586, June 1998.Google Scholar
  19. [19]
    D.S. Bauer and M.E. Koblentz, NIDX-An Expert System For Real-Time, Computer Networking Symposium, 1988.Google Scholar
  20. [20]
    T. Baving, Network vs. Application-Based Intrusion Detection, Network and Internet Network Security, Computer Science Honours, 2003.Google Scholar
  21. [21]
    S.M. Bellovin and W.R. Cheswick, Network Firewalls., IEEE Communications Magazine, vol. 32,9, pp. 50–57, September 1994.CrossRefGoogle Scholar
  22. [22]
    M. Bhattacharyya, M. Schultz, E. Eskin, S. Hershkop and S. Stolfo, MET: An Experimental System for Malicious Email Tracking, In Proceedings of the New Security Paradigms Workshop (NSPW), Hampton, VA, September 2002.Google Scholar
  23. [23]
    M. Bishop, How Attackers Break Programs, and How To Write Programs More Securely, In Proceedings of the 8th USENIX Security Symposium, University of California, Davis, August 1999.Google Scholar
  24. [24]
    E. Bloedorn, A. Christiansen, W. Hill, C. Skorupka, L. Talbot and J. Tivel, Data Mining for Network Intrusion Detection: How to Get Started, MITRE Technical Report, http://www.mitre.org/work/tech_papers/tech_papers_01/bloedorndatamining, August 2001.Google Scholar
  25. [25]
    M.M. Breunig, H.P. Kriegel, R.T. Ng and J. Sander, LOF: Identifying Density Based Local Outliers, ACM SIGMOD Conference, vol. Dallas, TX, May 2000.Google Scholar
  26. [26]
    S. Bridges and R. Vaughn, Fuzzy Data Mining and Genetic Algorithms Applied to Intrusion Detection, In Proceedings of the Twenty-third National Information Systems Security Conference, Baltimore, MD, October 2000.Google Scholar
  27. [27]
    H. Burch and B. Cheswick, Tracing Anonymous Packets to Their Approximate Source, In Proceedings of the USENIX Large Installation Systems Administration Conference, New Orleans, LA, 319–327, December 2000.Google Scholar
  28. [28]
    D. Burroughs, L. Wilson and G. Cybenko, Analysis of Distributed Intrusion Detection Systems Using Bayesian Methods, www.ists.dartmouth.edu/IRIA/projects/ipccc.final.pdf, 2002.Google Scholar
  29. [29]
    J. Cabrera, B. Ravichandran and R. Mehra, Statistical Traffic Modeling For Network Intrusion Detection, In Proceedings of the 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, San Francisco, CA, August 2000.Google Scholar
  30. [30]
    J. Cannady, Artificial Neural Networks For Misuse Detection, In Proceedings of the National Information Systems Security Conference (NISSC’98), Arlington, VA, 443–456, October, 1998.Google Scholar
  31. [31]
    J. Cannady and J. Harrell, A Comparative Analysis of Current Intrusion Detection Technologies, In Proceedings of the Fourth Technology for Information Security Conference’96 (TIS’96), Houston, TX, May 1996.Google Scholar
  32. [32]
    CERIAS Intrusion Detection Resources, http://www.cerias.purdue.edu/coast/ids/ids-body.html, 2004.Google Scholar
  33. [33]
    CERT® Advisory CA-1995-13 Syslog Vulnerability-A Workaround for Sendmail, http://www.cert.org/advisories/CA-1995-13.html, September, 1997.Google Scholar
  34. [34]
    CERT® Advisory CA-1999-04 Melissa Worm and Macro Virus, http://www.cert.org/advisories/CA-1999-04.html, March 1999.Google Scholar
  35. [35]
    CERT® Advisory CA-2000-14 Microsoft Outlook and Outlook Express Cache Bypass Vulnerability, http://www.cert.org/advisories/CA-2000-14.html, July 2000.Google Scholar
  36. [36]
    CERT® Advisory CA-2001-26 Nimda Worm, http://www.cert.org/advisories/CA-2001-26.html, September 2001.Google Scholar
  37. [37]
    CERT® Advisory CA-2003-04 MS-SQL Server Worm, http://www.cert.org/advisories/CA-2003-04.html, 2003.Google Scholar
  38. [38]
    CERT® Advisory CA-2003-25 Buffer Overflow in Sendmail, http://www.cert.org/advisories/CA-2003-25.html, September, 2003.Google Scholar
  39. [39]
    P.C. Chan and V.K. Wei, Preemptive Distributed Intrusion Detection Using Mobile Agents, In Proceedings of the Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2002), Pittsburgh, PA, June 2002.Google Scholar
  40. [40]
    N. Chawla, A. Lazarevic, L. Hall and K. Bowyer, SMOTEBoost: Improving the Prediction of Minority Class in Boosting, In Proceedings of the Principles of Knowledge Discovery in Databases, PKDD-2003, Cavtat, Croatia, September 2003.Google Scholar
  41. [41]
    C. Cheng, H.T. Kung and K. Tan, Use of Spectral Analysis in Defense Against DoS Attacks, In Proceedings of the IEEE GLOBECOM, Taipei, Taiwan, 2002.Google Scholar
  42. [42]
    W.R. Cheswick and S.M. Bellovin, Firewalls and Internet Security-Repelling the Wily Hacker, Addison-Wesley, ISBN 0-201-63357-4, 1994.Google Scholar
  43. [43]
    R. Chinchani, S. Upadhyaya and K. Kwiat, A Tamper-Resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors, In Proceedings of the IEEE International Workshop on Information Assurance, Darmstadt, Germany, March 2003.Google Scholar
  44. [44]
    R. Chinchani, S. Upadhyaya and K. Kwiat, Towards the Scalable Implementation of a User Level Anomaly Detection System, In Proceedings of the IEEE Conference on Military Communications Conference (MILCOM), Anaheim, CA, October 2002.Google Scholar
  45. [45]
    J. Christy, Cyber Threat & Legal Issues, In Proceedings of the ShadowCon’99, Dahlgren, VA, October 26, 1999.Google Scholar
  46. [46]
    Cisco Intrusion Detection, www.cisco.com/warp/public/cc/pd/sqsw/sqidsz, May 2004.Google Scholar
  47. [47]
    Cisco Systems, Inc., NetRanger-Enterprise-scale, Real-time, Network Intrusion Detection System, http://www.cisco.com/univercd/cc/td/doc/product/iaabu/netrangr/, 1998.Google Scholar
  48. [48]
    cknow.com Virus Tutorial, http://www.cknow.com/vtutor/vtmap.htm, 2001.Google Scholar
  49. [49]
    C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier and P. Zhang, StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 63–77.Google Scholar
  50. [50]
    O. Dain and R. Cunningham, Fusing a Heterogeneous Alert Stream Into Scenarios, In Proceedings of the ACM Workshops on Data Mining for Security Applications, Philadelphia, PA, November 2001.Google Scholar
  51. [51]
    V. Dao and R. Vemuri, Computer Network Intrusion Detection: A Comparison of Neural Networks Methods, Differential Equations and Dynamical Systems, Special Issue on Neural Networks, 2002.Google Scholar
  52. [52]
    DARPA, DARPA Intrusion Detection Evaluation, http://www.ll.mit.edu/IST/ideval/pubs/pubsindex.html, 2004.Google Scholar
  53. [53]
    J. De Queiroz and Carmo L., MICHAEL: An Autonomous Mobile Agent System to Protect New Generation Networked Applications, In Proceedings of the 2nd Annual Workshop n Recent Advances in Intrusion Detection, Rio de Janeiro, Brasil, 1999.Google Scholar
  54. [54]
    H. Debar, M. Becker and D. Siboni, A Neural Network Component for an Intrusion-Detection System, In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, 240–250, May 1992.Google Scholar
  55. [55]
    H. Debar, M. Dacier and A. Wespi, Towards a Taxonomy of Intrusion Detection Systems, Computer Networks, vol. 31,8, pp. 805–822, 1999.CrossRefGoogle Scholar
  56. [56]
    D. Denning, An Intrusion-Detection Model, IEEE Transactions on Software Engineering, vol. 13,2, pp. 222–232, 1987.Google Scholar
  57. [57]
    dmoz Open Security Project, Intrusion Detection Systems, http://dmoz.org/Computers/Security/Intrusion_Detection_Systems/Google Scholar
  58. [58]
    C. Dowell and P. Ramstedt, The Computerwatch Data Reduction Tool, In Proceedings of the 13th National Computer Security Conference, Washington, DC, 1990.Google Scholar
  59. [59]
    N. Einwechter, An Introduction To Distributed Intrusion Detection Systems, Security Focus, January 2002.Google Scholar
  60. [60]
    D. Engelhardt, Directions for Intrusion Detection and Response: A survey, DSTO Electronics and Surveillance Research Laboratory, Department of Defense, Australia Technical Report DSTO-GD-0155, 1997.Google Scholar
  61. [61]
    L Ertoz, E. Eilertson, A. Lazarevic, P. Tan, J. Srivastava, V. Kumar and P. Dokas, The MINDS-Minnesota Intrusion Detection System, in Data Mining: Next Generation Challenges and Future Directions, A. Joshi H. Kargupta, K. Sivakumar, and Y. Yesha, Ed., 2004.Google Scholar
  62. [62]
    L. Ertoz, E. Eilertson, P. Dokas, V. Kumar and K. Long, Scan Detection-Revisited, Army High Performance Computing Research Center Technical Report, 2004.Google Scholar
  63. [63]
    S. Eschrich, Real-Time User Identification Employing Standard Unix Accounting, Florida State University PhD Thesis, Fall 1995.Google Scholar
  64. [64]
    E. Eskin, Anomaly Detection over Noisy Data using Learned Probability Distributions, In Proceedings of the International Conference on Machine Learning, Stanford University, CA, June 2000.Google Scholar
  65. [65]
    E. Eskin, A. Arnold, M. Prerau, L. Portnoy and S. Stolfo, A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data, in Applications of Data Mining in Computer Security, Advances In Information Security, S. Jajodia D. Barbara, Ed. Boston: Kluwer Academic Publishers, 2002.Google Scholar
  66. [66]
    M. Esmaili, B. Balachandran, R. Safavi-Naini and J. Pieprzyk, Case-Based Reasoning For Intrusion Detection, In Proceedings of the 12th Annual Computer Security Applications Conference, San Diego, CA, December 1996.Google Scholar
  67. [67]
    M. Esmaili, R. Safavi-Naini and B.M. Balachandran, Autoguard: A Continuous Case-Based Intrusion Detection System, In Proceedings of the Australian Computer Science Conference, Australian Computer Science Communications, Sydney, Australia, 392–401, February 1997.Google Scholar
  68. [68]
    W. Fan, W. Lee, M. Miller, S.J. Stolfo and P.K. Chan, Using Artificial Anomalies to Detect Unknown and Known Network Intrusions, In Proceedings of the First IEEE International conference on Data Mining, vol. San Jose, CA, December 2001.Google Scholar
  69. [69]
    D. Farmer, Cops Overview, http://www.trouble.org/cops/overview.html, May 1993.Google Scholar
  70. [70]
    D. Farmer and W. Venema, Improving The Security Of Your Site By Breaking Into It, http://www.trouble.org/security/admin-guide-to-cracking.htmlGoogle Scholar
  71. [71]
    H. Feng, O. Kolesnikov, P. Fogla, W. Lee and W. Gong, Anomaly Detection Using Call Stack Information, In Proceedings of the IEEE Symposium Security and Privacy, Oakland, CA, May 2003.Google Scholar
  72. [72]
    G. Florez, S. Bridges and R. Vaughn, An Improved Algorithm for Fuzzy Data Mining for Intrusion Detection, In Proceedings of the North American Fuzzy Information Processing Society Conference (NAFIPS 2002), New Orleans, LA, June, 2002.Google Scholar
  73. [73]
    S. Forrest, S. Hofmeyr, A. Somayaji and T. Longstaff, A Sense of Self for Unix Processes, In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 120–128, May 1996.Google Scholar
  74. [74]
    A. Ghosh and A. Schwartzbard, A Study in Using Neural Networks for Anomaly and Misuse Detection, In Proceedings of the Eighth USENIX Security Symposium, Washington, D.C., 141–151, August, 1999.Google Scholar
  75. [75]
    T.M Gil and M. Poletto, MULTOPS: A Data-Structure for Bandwidth Attack Detection, In Proceedings of the USENIX Security Symposium, Washington, D.C., 23–28, July 2001.Google Scholar
  76. [76]
    Google directory, http://directory.google.com/Top/Computers/Security/Intrusion_Detection_SystemsGoogle Scholar
  77. [77]
    N. Habra, B. LeCharlier, A. Mounji and I. Mathieu, ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis, In Proceedings of the Second European Symposium on Research in Computer Security (ESORICS), Vol. 648, Lecture Notes in Computer Science, Springer-Verlag, Toulouse, France, November 1992.Google Scholar
  78. [78]
    S.E. Hansen and E.T. Atkins, Automated System Monitoring and Notification With Swatch., In Proceedings of the Seventh Systems Administration Conference (LISA’ 93), Monterey, CA, November 1993.Google Scholar
  79. [79]
    S. Hawkins, H. He, G. Williams and R. Baxter, Outlier Detection Using Replicator Neural Networks, In Proceedings of the 4th International Conference on Data Warehousing and Knowledge Discovery (DaWaK02), Lecture Notes in Computer Science 2454, Aix-en-Provence, France, 170–180, September 2002.Google Scholar
  80. [80]
    Haystack Labs, Inc., Stalker, http://www.haystack.com/stalk.htm, 1997.Google Scholar
  81. [81]
    L.T. Heberlein, G.V. Dias, K.N. Levitt, B. Mukherjee, J. Wood and D. Wolber, A Network Security Monitor, In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, 296–304, May 1990.Google Scholar
  82. [82]
    G. Helmer, J.S.K Wong, V. Honavar and L. Miller, Intelligent Agents for Intrusion Detection, In Proceedings of the IEEE Information Technology Conference, Syracuse, NY, 121–124, September 1998.Google Scholar
  83. [83]
    K. Houle, G. Weaver, N. Long and R. Thomas, Trends in Denial of Service Attack Technology, CERT® Coordination Center, Pittsburgh, PA October 2001.Google Scholar
  84. [84]
    J.D. Howard, An Analysis of Security Incidents on the Internet, Carnegie Mellon University, Pittsburgh, PA 15213 Ph.D. dissertation, April 1997.Google Scholar
  85. [85]
    D. Hughes, TkLogger, ftp://coast.cs.purdue.edU/pub/tools/unix/tklogger.tar.ZGoogle Scholar
  86. [86]
    K. Ilgun, USTAT A Real-time Intrusion Detection System for UNIX, University of California Santa Barbara Master Thesis, 1992.Google Scholar
  87. [87]
    Internet Guide, Computer Viruses / Virus Guide, http://www.internet-guide.co.uk/viruses.html, 2002.Google Scholar
  88. [88]
    Internet Security Systems Wireless Products, Active Wireless Protection, An X-Force’s white paper, available at: documents.iss.net/whitepapers/ActiveWirelessProtection.pdf, September 2002.Google Scholar
  89. [89]
    Internet Security Systems, Inc., RealSecure, http://www.iss.net/prod/rsds.html, 1997.Google Scholar
  90. [90]
    Intrusion.com, Intrusion SecureHost, white paper available at: www.intrusion.com/products/hids.asp, 2003.Google Scholar
  91. [91]
    J. loannidis and S. Bellovin, Implementing Pushback: Router-Based Defense Against DDoS Attacks, In Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, February 2002.Google Scholar
  92. [92]
    K. Jackson, Intrusion Detection System Product Survey, Los Alamos National Laboratory Research Report, LA-UR-99-3883, June 1999.Google Scholar
  93. [93]
    R. Jagannathan, T. Lunt, D. Anderson, C. Dodd, F. Gilham, C. Jalali, H. Javitz, P. Neumann, A. Tamaru and A. Valdes, System Design Document: Next-Generation Intrusion Detection Expert System (NIDES). SRI International Technical Report A007/A008/A009/A011/A012/A014, March 1993.Google Scholar
  94. [94]
    W. Jansen and P. Mell, Mobile Agents in Intrusion Detection and Response, In Proceedings of the 12th Annual Canadian Information Technology Security Symposium, Ottawa, Canada, 2000.Google Scholar
  95. [95]
    H.S. Javitz and A. Valdes, The SRI IDES Statistical Anomaly Detector, In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, 1991.Google Scholar
  96. [96]
    N.D. Jayaram and P.L.R. Morse, Network Security-A Taxonomic View, In Proceedings of the European Conference on Security and Detection, School of Computer Science, University of Westminster, UK, Publication No. 437, 28–30, April 1997.Google Scholar
  97. [97]
    A. Jones and R. Sielken, Computer System Intrusion Detection, University of Virginia Technical Report, 1999.Google Scholar
  98. [98]
    M. Joshi, R. Agarwal and V. Kumar, PNrule, Mining Needles in a Haystack: Classifying Rare Classes via Two-Phase Rule Induction, In Proceedings of the ACM SIGMOD Conference on Management of Data, Santa Barbara, CA, May 2001.Google Scholar
  99. [99]
    M. Joshi, R. Agarwal and V. Kumar, Predicting Rare Classes: Can Boosting Make Any Weak Learner Strong?, In Proceedings of the Eight ACM Conference ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Edmonton, Canada, July 2002.Google Scholar
  100. [100]
    Y.F. Jou, F. Gong, C. Sargor, S.F. Wu and W.R. Cleaveland, Architecture Design of a Scalable Intrusion Detection System For The Emerging Network Infrastructure, MCNC Information Technologies Division, Research Triangle Park, NC 27709 Technical Report CDRL A005, April 1997.Google Scholar
  101. [101]
    K. Julisch, Mining Alarm Clusters to Improve Alarm Handling Efficiency, In Proceedings of the 17th Annual Conference on Computer Security Applications, New Orleans, LA, December 2001.Google Scholar
  102. [102]
    J. Jung, V. Paxson, A. W. Berger and H. Balakrishnan, Fast Portscan Detection Using Sequential Hypothesis Testing, In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May, 2004.Google Scholar
  103. [103]
    K. Kendall, A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems, Massachusetts Institute of Technology Master’s Thesis, 1998.Google Scholar
  104. [104]
    A.D. Keromytis, V. Misra and D. Rubenstein, SoS: Secure Overlay Services, In Proceedings of the ACM SIGCOMM Conference, Pittsburgh, PA, 61–72, August 2002.Google Scholar
  105. [105]
    D. Kienzle and M. Elder, Recent Worms. A Survey and Trends, In Proceedings of the The Workshop on Rapid Malcode (WORM 2003), held in conjunction with the 10th ACM Conference on Computer and Communications Security, Washington, DC, October 27, 2003.Google Scholar
  106. [106]
    G. Kim and E. Spafford, The Design and Implementation of Tripwire: A File System Integrity Checker, In Proceedings of the ACM Conference on Computer and Communications Security, COAST, Purdue University, IN, 18–29, November 1994.Google Scholar
  107. [107]
    E. Knorr and R. Ng, Algorithms for Mining Distance based Outliers in Large Data Sets, In Proceedings of the Very Large Databases (VLDB) Conference, New York City, NY, August 1998.Google Scholar
  108. [108]
    I.V. Krsul, Software Vulnerability Analysis, Purdue University Ph.D. dissertation, May 1998.Google Scholar
  109. [109]
    C. Kruegel and T. Toth, Distributed Pattern Detection For Intrusion Detection, In Proceedings of the Network and Distributed System Security Symposium Conference Proceedings, Internet Society, Los Angeles, CA, February 2002.Google Scholar
  110. [110]
    C. Krugel and T. Toth, A Survey on Intrusion Detection Systems, Technical University of Vienna Technical report, TUV-1841-00-11, 2000.Google Scholar
  111. [111]
    C. Krugel, T. Toth and E. Kirda, Service Specific Anomaly Detection for Network Intrusion Detection, In Proceedings of the ACM Symposium on Applied Computing, Madrid, Spain, March 2002.Google Scholar
  112. [112]
    S. Kumar, Classification and Detection of Computer Intrusion, Computer Science Department, Purdue University Ph.D. dissertation, August 1995.Google Scholar
  113. [113]
    S. Kumar and E. Spafford, An Application of Pattern Matching in Intrusion Detection, Purdue University Technical Report, 1994.Google Scholar
  114. [114]
    H. Kvarnstrom, A Survey of Commercial Tools for Intrusion Detection, Chalmers University of Technology, Göteborg, Sweden Technical Report, 1999.Google Scholar
  115. [115]
    C. Landwehr, A. Bull, J. McDermott and W. Choi, A Taxonomy of Computer Program Security Flaws, ACM Computing Surveys, vol. 26,3, pp. 211–254, September 1994.CrossRefGoogle Scholar
  116. [116]
    T. Lane and C. Brodley, Temporal Sequence Learning and Data Reduction for Anomaly Detection, ACM Transactions on Information and System Security, vol. 2,3, pp. 295–331, 1999.CrossRefGoogle Scholar
  117. [117]
    A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava and V. Kumar, A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection, In Proceedings of the Third SIAM International Conference on Data Mining, San Francisco, CA, May 2003.Google Scholar
  118. [118]
    A. Lazarevic, J. Srivastava and V. Kumar, Cyber Threat Analysis-A Key Enabling Technology for the Objective Force (A Case Study in Network Intrusion Detection), In Proceedings of the IT/C4ISR, 23rd Army Science Conference, Orlando, FL, December 2002.Google Scholar
  119. [119]
    W. Lee, S. Stolfo and P. Chan, Patterns from Unix Process Execution Traces for Intrusion Detection, In Proceedings of the AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, Providence, RI, July 1997.Google Scholar
  120. [120]
    W. Lee, S. Stolfo and K. Mok, Adaptive Intrusion Detection: A Data Mining Approach., Artificial Intelligence Review, vol. 14, pp. 533–567, 2001.CrossRefGoogle Scholar
  121. [121]
    W. Lee and S.J. Stolfo, Data Mining Approaches for Intrusion Detection, In Proceedings of the USENIX Security Symposium, San Antonio, TX, January, 1998.Google Scholar
  122. [122]
    W. Lee and S.J. Stolfo, A Framework for Constructing Features and Models for Intrusion Detection Systems., ACM Transactions on Information and System Security, vol. 3,4, pp. 227–261, 2000.CrossRefGoogle Scholar
  123. [123]
    W. Lee and D. Xiang, Information-Theoretic Measures for Anomaly Detection, In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2001.Google Scholar
  124. [124]
    G. Liepins and H. Vaccaro, Anomaly Detection Purpose and Framework, In Proceedings of the 12th National Computer Security Conference, Baltimore, MD, 495–504, October 1989.Google Scholar
  125. [125]
    G. Liepins and H. Vaccaro, Intrusion Detection: It’s Role and Validation, Computers and Security, pp. 347–355, 1992.Google Scholar
  126. [126]
    Y.X. Lim, T. Schmoyer, J. Levine and H.L. Owen, Wireless Intrusion Detection and Response, In Proceedings of the IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY, June 2003.Google Scholar
  127. [127]
    J.L Lin, X.S. Wang and S. Jajodia, Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies, In Proceedings of the 11th IEEE Computer Security Foundations Workshop, Rockport, MA, June 1998.Google Scholar
  128. [128]
    U. Lindqvist and E. Jonsson, How to Systematically Classify Computer Security Intrusions, IEEE Security and Privacy, pp. 154–163, 1997.Google Scholar
  129. [129]
    U. Lindqvist and P. A. Porras, Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST), In Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA, May 1999.Google Scholar
  130. [130]
    R. Lippmann, The Role of Network Intrusion Detection, In Proceedings of the Workshop on Network Intrusion Detection, H.E.A.T. Center, Aberdeen, MD, March 19–20, 2002.Google Scholar
  131. [131]
    R. Lippmann and R. Cunningham, Improving Intrusion Detection Performance Using Keyword Selection and Neural Networks, Computer Networks, vol. 34,4, pp. 597–603, 2000.CrossRefGoogle Scholar
  132. [132]
    R. Lippmann, J.W. Haines, D.J. Fried, J. Korba and K. Das, The 1999 DARPA Off-Line Intrusion Detection Evaluation, Computer Networks, 2000.Google Scholar
  133. [133]
    R.P. Lippmann, R.K. Cunningham, D.J. Fried, I. Graf, K.R. Kendall, S.E. Webster and M.A. Zissman, Results of the DARPA 1998 Offline Intrusion Detection Evaluation, In Proceedings of the Workshop on Recent Advances in Intrusion Detection, (RAID-1999), West Lafayette, IN, September, 1999.Google Scholar
  134. [134]
    J. Lo, Trojan Horse Attacks, www.irchelp.org/irchelp/security/trojan.html, April 2004.Google Scholar
  135. [135]
    D. Lough, A Taxonomy of Computer Attacks with Applications to Wireless Networks, Virginia Polytechnic Institute PhD Thesis, April 2001.Google Scholar
  136. [136]
    T. Lunt, A Survey of Intrusion Detection techniques, Computers & Security, vol. 12,4, pp. 405–418, June 1993.CrossRefGoogle Scholar
  137. [137]
    T. Lunt, R. Jagannathan, R. Lee, S. Listgarten, D.L. Edwards, P.G. Neumann, H.S. Javitz and A. Valdes, IDES: The Enhanced Prototype-A Real-Time Intrusion-Detection Expert System, SRI International Technical Report SRI-CSL-88-12.Google Scholar
  138. [138]
    T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, P.G. Neumann, H.S. Javitz, A. Valdes and T.D. Garvey, A Real Time Intrusion Detection Expert System (IDES), SRI Technical report, 1992.Google Scholar
  139. [139]
    T.F. Lunt, Real-Time Intrusion Detection, In Proceedings of the Thirty Fourth IEEE Computer Society International Conference (COMPCON), Intellectual Leverage, San Francisco, CA, February 1989.Google Scholar
  140. [140]
    J. Luo, Integrating Fuzzy Logic With Data Mining Methods for Intrusion Detection, Department of Computer Science, Mississippi State University Master’s thesis, 1999.Google Scholar
  141. [141]
    R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson and S. Shenker, Controlling High Bandwidth Aggregates in The Network, ACM Computer Communication Review, July 2001.Google Scholar
  142. [142]
    M. Mahoney and P. Chan, Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks, In Proceedings of the Eight ACM International Conference on Knowledge Discovery and Data Mining, Edmonton, Canada, 376–385, July 2002.Google Scholar
  143. [143]
    S. Manganaris, M. Christensen, D. Serkle and K. Hermiz, A Data Mining Analysis of RTID Alarms, Computer Networks, vol. 34,4, October 2000.Google Scholar
  144. [144]
    D. Marchette, Computer Intrusion Detection and Network Monitoring, A Statistical Viewpoint. New York, Springer, 2001.MATHGoogle Scholar
  145. [145]
    J. Marin, D. Ragsdale and J. Surdu, A Hybrid Approach to Profile Creation and Intrusion Detection, In Proceedings of the DARPA Information Survivability Conference and Exposition, Anaheim, CA, June, 2001.Google Scholar
  146. [146]
    R. Maxion and K. Tan, Anomaly Detection in Embedded Systems, IEEE Transactions on Computers, vol. 51,2, pp. 108–120, 2002.CrossRefGoogle Scholar
  147. [147]
    Mazu Profiler™, An Overview, http://www.mazunetworks.com/solutions/white_papers/download/Mazu_Profiler.pdf, December 2003.Google Scholar
  148. [148]
    M. Medina, A Layered Framework for Placement of Distributed Intrusion Detection Devices, In Proceedings of the 21st National Information Systems Security Conference (NISSC’98), Crystal City, VA, October 1998.Google Scholar
  149. [149]
    Meier. M. and M. Sobirey, Intrusion Detection Systems List and Bibliography, http://www-rnks.informatik.tu-cottbus.de/en/security/ids.htmlGoogle Scholar
  150. [150]
    Metropolitan, Metropolitan Network BBS, Inc., Kaspersky.ch, Computer Virus Classification, http://www.avp.ch/avpve/classes/classes.stm, 2003.Google Scholar
  151. [151]
    J. Mirkovic, G. Prier and P. Reiher, Attacking DDoS at the Source, 10th IEEE International Conference on Network Protocols, November 2002.Google Scholar
  152. [152]
    J. Mirkovic and P. Reiher, A Taxonomy of DDoS Attacks and Defense Mechanisms, ACM Computer Communication Review, April 2004.Google Scholar
  153. [153]
    D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, The Spread of the Sapphire/Slammer Worm, http://www.cs.berkeley.edu/~nweaver/sapphire/, 2003.Google Scholar
  154. [154]
    D. Moore, G. M. Voeker and S. Savage, Inferring Internet Denial-of-Service Activity, USENIX Security Symposium, pp. 9–22, August 2001.Google Scholar
  155. [155]
    A. Mounji, Languages and Tools for Rule-Based Distributed Intrusion Detection, Facult es Universitaires Notre-Dame de la Paix, Namur, Belgium Doctor of Science Thesis, September 1997.Google Scholar
  156. [156]
    S. Mukkamala, G. Janoski and A. Sung, Intrusion Detection Using Neural Networks and Support Vector Machines, In Proceedings of the IEEE International Joint Conference on Neural Networks, Honolulu, HI, May 2002.Google Scholar
  157. [157]
    S. Mukkamala, A. Sung and A. Abraham, Intrusion Detection Systems Using Adaptive Regression Splines, In Proceedings of the 1st Indian International Conference on Artificial Intelligence (IICAI-03), Hyderabad, India, December 2003.Google Scholar
  158. [158]
    S. Mukkamala, A. Sung and A. Abraham, A Linear Genetic Programming Approach for Modeling Intrusion, In Proceedings of the IEEE Congress on Evolutionary Computation (CEC2003), Perth, Australia, December, 2003.Google Scholar
  159. [159]
    NAGIOS Network Monitoring Tool, www.nagios.org, February 2004.Google Scholar
  160. [160]
    Nessus Network Security Scanner, http://www.nessus.org/, 2004.Google Scholar
  161. [161]
    Netflow Tools, www.netflow.comGoogle Scholar
  162. [162]
    NetForensics®, Security Information Management, http://www.netforensics.com/Google Scholar
  163. [163]
    Network Associates, Inc., Cybercop server, http://www.nai.com/products/security/cybercopsvr/index.asp, 1998.Google Scholar
  164. [164]
    P. Neumann and P. Porras, Experience with Emerald to Date, In Proceedings of the First Usenix Workshop on Intrusion Detection and Network Monitoring, Santa Clara, CA, 1999.Google Scholar
  165. [165]
    P.G. Neumann, Computer Related Risks, The ACM Press, a division of the Association for Computing Machinery, Inc. (ACM), 1995.Google Scholar
  166. [166]
    P.G. Neumann and D.B. Parker, A Summary of Computer Misuse Techniques, In Proceedings of the 12th National Computer Security Conference, 396–407, 1989.Google Scholar
  167. [167]
    NFR Network Intrusion Detection, http://www.nfr.com/products/NID/, 2001.Google Scholar
  168. [168]
    P. Ning, Y. Cui and D. Reeves, Constructing Attack Scenarios through Correlation of Intrusion Alerts, In Proceedings of the 9th ACM Conference on Computer & Communications Security, Washington D.C., 245–254, November 2002.Google Scholar
  169. [169]
    S. Nomad, Distributed Denial of Service Defense Tactics, http://razor.bindview.com/publish/papers/strategies.html, 2/14/2000.Google Scholar
  170. [170]
    S. Northcutt, SHADOW, http://www.nswc.navy.mil/ISSEC/CID/, 1998.Google Scholar
  171. [171]
    K. P. Park and H. Lee, On the Effectiveness of Router-Based Packet Filtering for Distributed Dos Attack Prevention in Power-Law Internets, In Proceedings of the ACM SIGCOMM Conference, San Diego, CA, August 2001.Google Scholar
  172. [172]
    D.B. Parker, Computer Abuse Perpetrators and Vulnerabilities of Computer Systems, Stanford Research Institute, Menlo Park, CA 94025 Technical Report, December 1975.Google Scholar
  173. [173]
    D.B. Parker, COMPUTER CRIME Criminal Justice Resource Manual, U.S. Department of Justice National Institute of Justice Office of Justice Programs, Prepared by SRI International under contract to Abt Associates for National Institute of Justice, U.S. Department of Justice, contract #OJP-86-C-002., 1989.Google Scholar
  174. [174]
    V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time, In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998.Google Scholar
  175. [175]
    Pcap, libpcap, winpcap, libdnet, and libnet Applications and Resources, http://www.stearns.org/doc/pcap-apps.html, 2004.Google Scholar
  176. [176]
    T. Peng, C. Leckie and K. Ramamohanarao, Defending Against Distributed Denial of Service Attack Using Selective Pushback, In Proceedings of the Ninth IEEE International Conference on Telecommunications (ICT 2002), Beijing, China, June 2002.Google Scholar
  177. [177]
    P. Porras, D. Schanckernberg, S. Staniford-Chen, M. Stillman and F. Wu, Common Intrusion Detection Framework Architecture, http://www.gidos.org/drafts/ architecture.txt, 2001.Google Scholar
  178. [178]
    P.A. Porras and R.A. Kemmerer, Penetration State Transition Analysis: A Rule-Based Intrusion Detection Approach, In Proceedings of the Eighth Annual Computer Security Applications Conference, San Antonio, TX, December, 1992.Google Scholar
  179. [179]
    P.A. Porras and P.G. Neumann, EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances, In Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD., 353–365, October, 1997.Google Scholar
  180. [180]
    P.A. Porras and A. Valdes, Live Traffic Analysis of TCP/IP Gateways, In Proceedings of the ISOC Symposium on Network and Distributed System Security (NDSS’98), San Diego, CA, March 1998.Google Scholar
  181. [181]
    D. Powell and R. Stroud, Conceptual Model and Architecture, Deliverable D2, Project MAFTIA IST-1999-11583, IBM Zurich Research Laboratory Research Report RZ 3377, Nov. 2001.Google Scholar
  182. [182]
    Proventia™, Security’s Silver Bullet? An Internet Security Systems White Paper, available at:, http://documents.iss.net/whitepapers/ProventiaVision.pdf, 2003.Google Scholar
  183. [183]
    F. Provost and T. Fawcett, Robust Classification for Imprecise Environments, Machine Learning, vol. 42,3, pp. 203–231, 2001.CrossRefMATHGoogle Scholar
  184. [184]
    T.H. Ptacek and T.N. Newsham, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, Secure Networks, Inc Technical Report, January 1998.Google Scholar
  185. [185]
    Michael Puldy, Lessons Learned in the Implementation of a Multi-Location Network Based Real Time Intrusion Detection System, In Proceedings of the Workshop on Recent Advances in Intrusion Detection (RAID 98), Louvain-la-Neuve, Belgium, September 1998.Google Scholar
  186. [186]
    X. Qin and W. Lee, Statistical Causality Analysis of INFOSEC Alert Data, In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, September 2003.Google Scholar
  187. [187]
    S. Ramaswamy, R. Rastogi and K. Shim, Efficient Algorithms for Mining Outliers from Large Data Sets, In Proceedings of the ACM SIGMOD Conference, Dallas, TX, May 2000.Google Scholar
  188. [188]
    M.J. Ranum, K. Landfield, M. Stolarchuk, M. Sienkiewicz, A. Lambeth and Wall E., Implementing a Generalized Tool for Network Monitoring, In Proceedings of the Eleventh Systems Administration Conference (LISA’97), San Diego, CA, October 1997.Google Scholar
  189. [189]
    T. Richardson, The Development of a Database Taxonomy of Vulnerabilities to Support the Study of Denial of Service Attacks., Iowa State University PhD Thesis, 2001.Google Scholar
  190. [190]
    T. Richardson, J. Davis, D. Jacobson, J. Dickerson and L. Elkin, Developing a Database of Vulnerabilities to Support the Study of Denial of Service Attacks, IEEE Symposium on Security and Privacy, May 1999.Google Scholar
  191. [191]
    S. Robertson, E. Siegel, M. Miller and S. Stolfo, Surveillance Detection in High Bandwidth Environments, In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX 2003), Washington DC, April 2003.Google Scholar
  192. [192]
    P. Rolin, L. Toutain and S. Gombault, Network Security Probe, In Proceedings of the 2nd ACM Conference on Computer and Communication Security (ACM CCS’94), Fairfax, VA, 229–240, November 1994.Google Scholar
  193. [193]
    J. Ryan, M-J. Lin and R. Miikkulainen, Intrusion Detection with Neural Networks, In Proceedings of the AAA1 Workshop on AI Approaches to Fraud Detection and Risk Management, Providence, RI, 72–77, July 1997.Google Scholar
  194. [194]
    D. Safford, D. Schales and D. Hess, The Tamu Security Package: An Ongoing Response to Internet Intruders in an Academic Environment, In Proceedings of the Fourth USENIX Security Symposium, Santa Clara, CA, 91–118, October 1993.Google Scholar
  195. [195]
    S. Savage, D. Wetherall, A. Karlin and T. Anderson, Practical Network Support for IP Traceback, In Proceedings of the ACM SIGCOMM Conference, Stockholm, Sweden, 295–306, August 2000.Google Scholar
  196. [196]
    M. Schultz, E. Eskin, E. Zadok and S. Stolfo, Data Mining Methods for Detection of New Malicious Executables, In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 38–49, May 2001.Google Scholar
  197. [197]
    Secure Networks, Inc., Ballista Security Auditing System, http:// www.securenetworks.com/ballista/ballista.html, 1997.Google Scholar
  198. [198]
    SecurityTechNet.com Intrusion Detection Links, http://cnscenter.future.co.kr/security/ids.html, 2004.Google Scholar
  199. [199]
    R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang and S. Zhou, Specification Based Anomaly Detection: A New Approach for Detecting Network Intrusions, In Proceedings of the ACM Conference on Computer and Communications Security (CCS), Washington, D.C., November 2002.Google Scholar
  200. [200]
    A. Seleznyov and S. Puuronen, HIDSUR: A Hybrid Intrusion Detection System Based on Real-Time User Recognition, In Proceedings of the 11th International Workshop on Database and Expert Systems Applications (DEXA’00), Greenwich, London, UK, September, 2000.Google Scholar
  201. [201]
    K. Sequeira and M. Zaki, ADMIT: Anomaly-base Data Mining for Intrusions, In Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Edmonton, Canada, July 2002.Google Scholar
  202. [202]
    C. Sinclair, L. Pierce and S. Matzner, An Application of Machine Learning to Network Intrusion Detection, In Proceedings of the 15th Annual Computer Security Applications Conference, Phoenix, AZ, 371–377, December 1999.Google Scholar
  203. [203]
    S. Singh and Kandula S., Argus: A Distributed Network Intrusion Detection System, Indian Institute of Technology Kanpur, Department of Computer Science & Engineering, available at: http://www.cse.iitk.ac.in/research/btp2001/Argus.html Technical Report, 2001.Google Scholar
  204. [204]
    S. Smaha, Haystack: An Intrusion Detection System, In Proceedings of the Fourth Aerospace Computer Security Applications Conference, 37–44, October 1988.Google Scholar
  205. [205]
    S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, T. Heberlein, C. Ho, K.N. Levitt, B. Mukherjee, S.E. Smaha, T. Grance, D.M. Teal and D. Mansur, DIDS (Distributed Intrusion Detection System) Motivation, Architecture, and an Early Prototype, In Proceedings of the Nth National Computer Security Conference, Washington, DC, 167–176, October 1991.Google Scholar
  206. [206]
    A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E Jones, F. Tchakountio, S.T. Kent and W.T. Strayer, Hash-Based IP Traceback, In Proceedings of the ACM SIGCOMM Conference, San Diego, CA, 3–14, August 2001.Google Scholar
  207. [207]
    SNORT Intrusion Detection System, www.snort.org, 2004.Google Scholar
  208. [208]
    Snort-Wireless Intrusion Detection, http://snort-wireless.org, 2003.Google Scholar
  209. [209]
    A. Somayaji, S. Hofmeyr and S. Forrest, Principles of a computer immune system, In Proceedings of the New Security Paradigms Workshop, Langdale, Cumbria UK, 1997.Google Scholar
  210. [210]
    Sourcefire, Sourcefire Real-time Network Awareness™ (RNA), http:// www.sourcefire.com/products/rna.html, 2004.Google Scholar
  211. [211]
    E. Spafford and D. Zamboni, Intrusion Detection Using Autonomous Agents, Computer Networks, vol. 34, pp. 547–570, 2000.CrossRefGoogle Scholar
  212. [212]
    P. Spirakis, S. Katsikas, D. Gritzalis, F. Allegre, J. Darzentas, C. Gigante, D. Karagiannis, P. Kess, H. Putkonen and T. Spyrou, SECURENET: A Network-Oriented Intelligent Intrusion Prevention And Detection System., Network Security Journal, vol. 1,1, November 1994.Google Scholar
  213. [213]
    T. Spyrou and J. Darzentas, Intention Modelling: Approximating Computer User Intentions for Detection and Prediction of Intrusions, In Proceedings of the Information Systems Security, Samos, Greece, 319–335, May 1996.Google Scholar
  214. [214]
    S. Staniford, J. Hoagland and J. McAlerney, Practical Automated Detection of Stealthy Portscans, Journal of Computer Security, vol. 10,1–2, pp. 105–136, 2002.Google Scholar
  215. [215]
    S. Staniford, V. Paxson and N. Weaver, How to Own the Internet in Your Spare Time, In Proceedings of the USENIX Security Symposium, San Francisco, CA, 149–167, August 2002.Google Scholar
  216. [216]
    S. Staniford-Chen, C.R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip and D. Zerkle, GrIDS-A Graph Based Intrusion Detection System for Large Networks, In Proceedings of the 19th National Information Systems Security Conference, Baltimore, MD.Google Scholar
  217. [217]
    S. Staniford-Chen, B. Tung, P. Porras, C. Kahn, D. Schnackenberg, R. Feiertag and M. Stillman, The Common Intrusion Detection Framework-Data Formats, Internet Draft Draft-ietf-cidf-data-formats-00.txt, March 1998.Google Scholar
  218. [218]
    R. Stone, Centertrack: An IP Overlay Network for Tracking DoS Floods, In Proceedings of the USENIX Security Symposium, Denver, CO, 199–212, July 2000.Google Scholar
  219. [219]
    SunSHIELD Basic Security Module Guide, http://docs.sun.com/db/doc/802-1965?q=BSM, 1995.Google Scholar
  220. [220]
    Symantec Intruder Alert, http://enterprisesecurity.symantec.com/products/ products.cfm?ProductID=171&EID=0, May 2004.Google Scholar
  221. [221]
    Symantec Security Response, W32.ExploreZip.L.Worm, http://securityresponse.symantec.com/avcenter/venc/data/w32. explorezip.l.worm.html, January 2003.Google Scholar
  222. [222]
    System Detection, Anomaly Detection: The Antura Difference, http:// www.sysd.com/library/anomaly.pdf, 2003.Google Scholar
  223. [223]
    Talisker’s Network Security Resource, http://www.networkintrusion.co.uk/ids.htmGoogle Scholar
  224. [224]
    TCPDUMP public repository, www.tcpdump.orgGoogle Scholar
  225. [225]
    S. Templeton and K. Levit, A Requires/Provides Model for Computer Attacks, In Proceedings of the Workshop on New Security Paradigms, Ballycotton, Ireland, 2000.Google Scholar
  226. [226]
    B. Tod, Distributed Denial of Service Attacks, OVEN Digital, http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html, 2000.Google Scholar
  227. [227]
    A. Valdes, Detecting Novel Scans Through Pattern Anomaly Detection, In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX-III 2003), Washington, D.C., April 2003.Google Scholar
  228. [228]
    A. Valdes and K. Skinner, Adaptive, Model-based Monitoring for Cyber Attack Detection, In Proceedings of the Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, 80–92, October 2000.Google Scholar
  229. [229]
    A. Valdes and K. Skinner, Probabilistic Alert Correlation, In Proceedings of the Recent Advances in Intrusion Detection (RAID 2001), Davis, CA, October 2001.Google Scholar
  230. [230]
    J. Van Ryan, SAIC’s Center for Information Security, Technology Releases CMDS Version 3.5, http://www.saic.com/news/may98/news05-15-98.html, 1998.Google Scholar
  231. [231]
    Vicomsoft White Paper, Firewall White Paper-What Different Types of Firewalls are There?, available at:, http://www.firewall-software.com/firewall_faqs/ types_of_firewall.html, 2003.Google Scholar
  232. [232]
    G. Vigna and R.A. Kemmerer, Netstat: A Network-Based Intrusion Detection Approach, Journal of Computer Security, vol. 7,1, pp. 37–71, 1999.Google Scholar
  233. [233]
    D. Vincenzetti and M. Cotrozzi, ATP-Anti Tampering Program, In Proceedings of the Fourth USENIX Security Symposium, Santa Clara, CA, 79–89, October 1993.Google Scholar
  234. [234]
    D. Wagner and D. Dean, Intrusion Detection via Static Analysis, In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2001.Google Scholar
  235. [235]
    H. Wang, D. Zhang and K. Shin, Detecting SYN Flooding Attacks, In Proceedings of the IEEE Infocom, New York, NY, 000-001, June 2002.Google Scholar
  236. [236]
    N. Weaver, V. Paxson, S. Staniford and R. Cunningham, A Taxonomy of Computer Worms, In Proceedings of the The Workshop on Rapid Malcode (WORM 2003), held in conjunction with the 10th ACM Conference on Computer and Communications Security, Washington, DC, October 27, 2003.Google Scholar
  237. [237]
    A. Wespi, M. Dacier and H. Debar, Intrusion Detection Using Variable-Length Audit Trail Patterns, In Proceedings of the Recent Advances in Intrusion Detection (RAID-2000), Toulouse, FR, 110–129, October 2000.Google Scholar
  238. [238]
    WheelGroup Corporation, Cisco Secure Intrusion Detection System, http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/index.htm, 2004.Google Scholar
  239. [239]
    WIDZ Wireless Intrusion Detection System, www.loud-fat-bloke.co.uk/articles/widz_design.pdf.Google Scholar
  240. [240]
    D. Winer, Clay Shirky on P2P, davenet.scripting.com/2000/ll/15/clayShirkyOnP2p, November 2000.Google Scholar
  241. [241]
    J.R. Winkler, A Unix Prototype for Intrusion and Anomaly Detection in Secure Networks, In Proceedings of the 13th National Computer Security Conference, Baltimore, MD, October 1990.Google Scholar
  242. [242]
    J.R. Winkler and L.C. Landry, Intrusion and Anomaly Detection, ISOA Update, In Proceedings of the 15th National Computer Security Conference, Baltimore, MD, October 1992.Google Scholar
  243. [243]
    K. Yamanishi and J. Takeuchi, Discovering Outlier Filtering Rules from Unlabeled Data, In Proceedings of the Seventh ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, August 2001.Google Scholar
  244. [244]
    K. Yamanishi, J. Takeuchi, G. Williams and P. Milne, On-line Unsupervised Outlier Detection Using Finite Mixtures with Discounting Learning Algorithms, In Proceedings of the Sixth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Boston, MA, 320–324, August 2000.Google Scholar
  245. [245]
    N. Ye and Q. Chen, An Anomaly Detection Technique Based on a Chi-Square Statistic for Detecting Intrusions Into Information Systems, Quality and Reliability Engineering International, vol. 17,2, pp. 105–112, 2001.CrossRefMathSciNetGoogle Scholar
  246. [246]
    N. Ye and X. Li, A Scalable Clustering Technique for Intrusion Signature Recognition, In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June, 2001.Google Scholar
  247. [247]
    Z. Zhang, J. Li, C.N. Manikopoulos, J. Jorgenson and J. Ucles, HIDE: A Hierarchical Network Intrusion Detection System Using Statistical Preprocessing and Neural Network Classification, In Proceedings of the IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June 2001.Google Scholar
  248. [248]
    E. Zwicky, S. Cooper, D. Chapman and D. Ru, Building Internet Firewalls, 2nd Edition ed, O’Reilly and Associates, 2000.Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2005

Authors and Affiliations

  • Aleksandar Lazarevic
    • 1
  • Vipin Kumar
    • 1
  • Jaideep Srivastava
    • 1
  1. 1.Computer Science DepartmentUniversity of MinnesotaUSA

Personalised recommendations