This chapter provides the overview of the state of the art in intrusion detection research. Intrusion detection systems are software and/or hardware components that monitor computer systems and analyze events occurring in them for signs of intrusions. Due to widespread diversity and complexity of computer infrastructures, it is difficult to provide a completely secure computer system. Therefore, there are numerous security systems and intrusion detection systems that address different aspects of computer security. This chapter first provides taxonomy of computer intrusions, along with brief descriptions of major computer attack categories. Second, a common architecture of intrusion detection systems and their basic characteristics are presented. Third, taxonomy of intrusion detection systems based on five criteria (information source, analysis strategy, time aspects, architecture, response) is given. Finally, intrusion detection systems are classified according to each of these categories and the most representative research prototypes are briefly described.
- intrusion detection
- intrusion detection systems
- data mining
This is a preview of subscription content, access via your institution.
Tax calculation will be finalised at checkout
Purchases are for personal use onlyLearn about institutional subscriptions
Unable to display preview. Download preview PDF.
T. Abraham, IDDM: Intrusion Detection Using Data Mining Techniques, DSTO Electronics and Surveillance Research Laboratory, Department of Defense, Australia Technical Report DSTO-GD-0286, 2001.
C.C. Aggarwal and P. Yu, Outlier Detection for High Dimensional Data, In Proceedings of the ACM SIGMOD International Conference on Management of Data, Santa BArbara, CA, May 2001.
A. AirDefense, http://www.airdefense.net/products/index.html, 2004.
J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, E. Stoner, J. Ellis, E. Hayes, J. Marella and B. Willke, State of the Practice of Intrusion Detection Technologies., Carnegie Mellon University, Pittsburgh, PA Technical Report CMU/SEI-99-TR-028, 1999.
E. Amoroso, Fundamentals of Computer Security Technology, Prentice-Hall PTR, 1994.
D. Anderson, T. Lunt, H. Javitz, A. Tamaru and A. Valdes, Detecting Unusual Program Behavior Using the Statistical Component of the Next-Generation Intrusion Detection Expert System (NIDES), Computer Science Laboratory, SRI International, Menlo Park, CA Technical Report SRI-CSL-95-06.
J.P. Anderson, Computer Security Threat Monitoring and Surveillance, James P. Anderson Co., Box 42, Fort Washington, PA 19034 Technical Report Contract 79F296400, April 1980.
Arbor Networks, Intelligent Network Management with Peakflow Traffic, http://www.arbornetworks.com/products_sp.php, 2003.
ArcSight, Enterprise Security Management Software, http://www.arcsight.com/.
M. Asaka, S. Okazawa, A. Taguchi and S. Goto, A Method of Tracing Intruders by Use of Mobile Agents, In Proceedings of the 9th Annual Conference of the Internet Society (INET’99), San Jose, CA, June 1999.
T. Aslam, A Taxonomy of Security Faults in the UNIX Operating System, Purdue University Master’s thesis, August 1995.
C.R. Attanasio, P.W. Markstein and R.J. Phillips, Penetrating an Operating System: A Study of VM/370 Integrity, IBM System Journal, vol. 15,1, pp. 102–116, 1976.
S. Axelsson, Intrusion Detection Systems: A Survey and Taxonomy, Dept. of Computer Engineering, Chalmers University Technical Report 99–15, March 2000.
AXENT Technologies, Inc, NetProwler-Advanced Network Intrusion Detection, available online at:, http.//www.axent.com/iti/netprowler/idtk_ds_word_l.html, 1999.
R. Bace and P. Mell, NIST Special Publication on Intrusion Detection Systems, 2001.
D. Barbara, N. Wu and S. Jajodia, Detecting Novel Network Intrusions Using Bayes Estimators, In Proceedings of the First SIAM Conference on Data Mining, Chicago, IL, April 2001.
V. Barnett and T. Lewis, Outliers in Statistical Data. New York, NY, John Wiley and Sons, 1994.
J. Barrus and N. Rowe, A Distributed Autonomous-Agent Network-Intrusion Detection And Response System, In Proceedings of the Command and Control Research and Technology Symposium, Monterey, CA, 577–586, June 1998.
D.S. Bauer and M.E. Koblentz, NIDX-An Expert System For Real-Time, Computer Networking Symposium, 1988.
T. Baving, Network vs. Application-Based Intrusion Detection, Network and Internet Network Security, Computer Science Honours, 2003.
S.M. Bellovin and W.R. Cheswick, Network Firewalls., IEEE Communications Magazine, vol. 32,9, pp. 50–57, September 1994.
M. Bhattacharyya, M. Schultz, E. Eskin, S. Hershkop and S. Stolfo, MET: An Experimental System for Malicious Email Tracking, In Proceedings of the New Security Paradigms Workshop (NSPW), Hampton, VA, September 2002.
M. Bishop, How Attackers Break Programs, and How To Write Programs More Securely, In Proceedings of the 8th USENIX Security Symposium, University of California, Davis, August 1999.
E. Bloedorn, A. Christiansen, W. Hill, C. Skorupka, L. Talbot and J. Tivel, Data Mining for Network Intrusion Detection: How to Get Started, MITRE Technical Report, http://www.mitre.org/work/tech_papers/tech_papers_01/bloedorndatamining, August 2001.
M.M. Breunig, H.P. Kriegel, R.T. Ng and J. Sander, LOF: Identifying Density Based Local Outliers, ACM SIGMOD Conference, vol. Dallas, TX, May 2000.
S. Bridges and R. Vaughn, Fuzzy Data Mining and Genetic Algorithms Applied to Intrusion Detection, In Proceedings of the Twenty-third National Information Systems Security Conference, Baltimore, MD, October 2000.
H. Burch and B. Cheswick, Tracing Anonymous Packets to Their Approximate Source, In Proceedings of the USENIX Large Installation Systems Administration Conference, New Orleans, LA, 319–327, December 2000.
D. Burroughs, L. Wilson and G. Cybenko, Analysis of Distributed Intrusion Detection Systems Using Bayesian Methods, www.ists.dartmouth.edu/IRIA/projects/ipccc.final.pdf, 2002.
J. Cabrera, B. Ravichandran and R. Mehra, Statistical Traffic Modeling For Network Intrusion Detection, In Proceedings of the 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, San Francisco, CA, August 2000.
J. Cannady, Artificial Neural Networks For Misuse Detection, In Proceedings of the National Information Systems Security Conference (NISSC’98), Arlington, VA, 443–456, October, 1998.
J. Cannady and J. Harrell, A Comparative Analysis of Current Intrusion Detection Technologies, In Proceedings of the Fourth Technology for Information Security Conference’96 (TIS’96), Houston, TX, May 1996.
CERIAS Intrusion Detection Resources, http://www.cerias.purdue.edu/coast/ids/ids-body.html, 2004.
CERT® Advisory CA-1995-13 Syslog Vulnerability-A Workaround for Sendmail, http://www.cert.org/advisories/CA-1995-13.html, September, 1997.
CERT® Advisory CA-1999-04 Melissa Worm and Macro Virus, http://www.cert.org/advisories/CA-1999-04.html, March 1999.
CERT® Advisory CA-2000-14 Microsoft Outlook and Outlook Express Cache Bypass Vulnerability, http://www.cert.org/advisories/CA-2000-14.html, July 2000.
CERT® Advisory CA-2001-26 Nimda Worm, http://www.cert.org/advisories/CA-2001-26.html, September 2001.
CERT® Advisory CA-2003-04 MS-SQL Server Worm, http://www.cert.org/advisories/CA-2003-04.html, 2003.
CERT® Advisory CA-2003-25 Buffer Overflow in Sendmail, http://www.cert.org/advisories/CA-2003-25.html, September, 2003.
P.C. Chan and V.K. Wei, Preemptive Distributed Intrusion Detection Using Mobile Agents, In Proceedings of the Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2002), Pittsburgh, PA, June 2002.
N. Chawla, A. Lazarevic, L. Hall and K. Bowyer, SMOTEBoost: Improving the Prediction of Minority Class in Boosting, In Proceedings of the Principles of Knowledge Discovery in Databases, PKDD-2003, Cavtat, Croatia, September 2003.
C. Cheng, H.T. Kung and K. Tan, Use of Spectral Analysis in Defense Against DoS Attacks, In Proceedings of the IEEE GLOBECOM, Taipei, Taiwan, 2002.
W.R. Cheswick and S.M. Bellovin, Firewalls and Internet Security-Repelling the Wily Hacker, Addison-Wesley, ISBN 0-201-63357-4, 1994.
R. Chinchani, S. Upadhyaya and K. Kwiat, A Tamper-Resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors, In Proceedings of the IEEE International Workshop on Information Assurance, Darmstadt, Germany, March 2003.
R. Chinchani, S. Upadhyaya and K. Kwiat, Towards the Scalable Implementation of a User Level Anomaly Detection System, In Proceedings of the IEEE Conference on Military Communications Conference (MILCOM), Anaheim, CA, October 2002.
J. Christy, Cyber Threat & Legal Issues, In Proceedings of the ShadowCon’99, Dahlgren, VA, October 26, 1999.
Cisco Intrusion Detection, www.cisco.com/warp/public/cc/pd/sqsw/sqidsz, May 2004.
Cisco Systems, Inc., NetRanger-Enterprise-scale, Real-time, Network Intrusion Detection System, http://www.cisco.com/univercd/cc/td/doc/product/iaabu/netrangr/, 1998.
cknow.com Virus Tutorial, http://www.cknow.com/vtutor/vtmap.htm, 2001.
C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier and P. Zhang, StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 63–77.
O. Dain and R. Cunningham, Fusing a Heterogeneous Alert Stream Into Scenarios, In Proceedings of the ACM Workshops on Data Mining for Security Applications, Philadelphia, PA, November 2001.
V. Dao and R. Vemuri, Computer Network Intrusion Detection: A Comparison of Neural Networks Methods, Differential Equations and Dynamical Systems, Special Issue on Neural Networks, 2002.
DARPA, DARPA Intrusion Detection Evaluation, http://www.ll.mit.edu/IST/ideval/pubs/pubsindex.html, 2004.
J. De Queiroz and Carmo L., MICHAEL: An Autonomous Mobile Agent System to Protect New Generation Networked Applications, In Proceedings of the 2nd Annual Workshop n Recent Advances in Intrusion Detection, Rio de Janeiro, Brasil, 1999.
H. Debar, M. Becker and D. Siboni, A Neural Network Component for an Intrusion-Detection System, In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, 240–250, May 1992.
H. Debar, M. Dacier and A. Wespi, Towards a Taxonomy of Intrusion Detection Systems, Computer Networks, vol. 31,8, pp. 805–822, 1999.
D. Denning, An Intrusion-Detection Model, IEEE Transactions on Software Engineering, vol. 13,2, pp. 222–232, 1987.
dmoz Open Security Project, Intrusion Detection Systems, http://dmoz.org/Computers/Security/Intrusion_Detection_Systems/
C. Dowell and P. Ramstedt, The Computerwatch Data Reduction Tool, In Proceedings of the 13th National Computer Security Conference, Washington, DC, 1990.
N. Einwechter, An Introduction To Distributed Intrusion Detection Systems, Security Focus, January 2002.
D. Engelhardt, Directions for Intrusion Detection and Response: A survey, DSTO Electronics and Surveillance Research Laboratory, Department of Defense, Australia Technical Report DSTO-GD-0155, 1997.
L Ertoz, E. Eilertson, A. Lazarevic, P. Tan, J. Srivastava, V. Kumar and P. Dokas, The MINDS-Minnesota Intrusion Detection System, in Data Mining: Next Generation Challenges and Future Directions, A. Joshi H. Kargupta, K. Sivakumar, and Y. Yesha, Ed., 2004.
L. Ertoz, E. Eilertson, P. Dokas, V. Kumar and K. Long, Scan Detection-Revisited, Army High Performance Computing Research Center Technical Report, 2004.
S. Eschrich, Real-Time User Identification Employing Standard Unix Accounting, Florida State University PhD Thesis, Fall 1995.
E. Eskin, Anomaly Detection over Noisy Data using Learned Probability Distributions, In Proceedings of the International Conference on Machine Learning, Stanford University, CA, June 2000.
E. Eskin, A. Arnold, M. Prerau, L. Portnoy and S. Stolfo, A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data, in Applications of Data Mining in Computer Security, Advances In Information Security, S. Jajodia D. Barbara, Ed. Boston: Kluwer Academic Publishers, 2002.
M. Esmaili, B. Balachandran, R. Safavi-Naini and J. Pieprzyk, Case-Based Reasoning For Intrusion Detection, In Proceedings of the 12th Annual Computer Security Applications Conference, San Diego, CA, December 1996.
M. Esmaili, R. Safavi-Naini and B.M. Balachandran, Autoguard: A Continuous Case-Based Intrusion Detection System, In Proceedings of the Australian Computer Science Conference, Australian Computer Science Communications, Sydney, Australia, 392–401, February 1997.
W. Fan, W. Lee, M. Miller, S.J. Stolfo and P.K. Chan, Using Artificial Anomalies to Detect Unknown and Known Network Intrusions, In Proceedings of the First IEEE International conference on Data Mining, vol. San Jose, CA, December 2001.
D. Farmer, Cops Overview, http://www.trouble.org/cops/overview.html, May 1993.
D. Farmer and W. Venema, Improving The Security Of Your Site By Breaking Into It, http://www.trouble.org/security/admin-guide-to-cracking.html
H. Feng, O. Kolesnikov, P. Fogla, W. Lee and W. Gong, Anomaly Detection Using Call Stack Information, In Proceedings of the IEEE Symposium Security and Privacy, Oakland, CA, May 2003.
G. Florez, S. Bridges and R. Vaughn, An Improved Algorithm for Fuzzy Data Mining for Intrusion Detection, In Proceedings of the North American Fuzzy Information Processing Society Conference (NAFIPS 2002), New Orleans, LA, June, 2002.
S. Forrest, S. Hofmeyr, A. Somayaji and T. Longstaff, A Sense of Self for Unix Processes, In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 120–128, May 1996.
A. Ghosh and A. Schwartzbard, A Study in Using Neural Networks for Anomaly and Misuse Detection, In Proceedings of the Eighth USENIX Security Symposium, Washington, D.C., 141–151, August, 1999.
T.M Gil and M. Poletto, MULTOPS: A Data-Structure for Bandwidth Attack Detection, In Proceedings of the USENIX Security Symposium, Washington, D.C., 23–28, July 2001.
Google directory, http://directory.google.com/Top/Computers/Security/Intrusion_Detection_Systems
N. Habra, B. LeCharlier, A. Mounji and I. Mathieu, ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis, In Proceedings of the Second European Symposium on Research in Computer Security (ESORICS), Vol. 648, Lecture Notes in Computer Science, Springer-Verlag, Toulouse, France, November 1992.
S.E. Hansen and E.T. Atkins, Automated System Monitoring and Notification With Swatch., In Proceedings of the Seventh Systems Administration Conference (LISA’ 93), Monterey, CA, November 1993.
S. Hawkins, H. He, G. Williams and R. Baxter, Outlier Detection Using Replicator Neural Networks, In Proceedings of the 4th International Conference on Data Warehousing and Knowledge Discovery (DaWaK02), Lecture Notes in Computer Science 2454, Aix-en-Provence, France, 170–180, September 2002.
Haystack Labs, Inc., Stalker, http://www.haystack.com/stalk.htm, 1997.
L.T. Heberlein, G.V. Dias, K.N. Levitt, B. Mukherjee, J. Wood and D. Wolber, A Network Security Monitor, In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, 296–304, May 1990.
G. Helmer, J.S.K Wong, V. Honavar and L. Miller, Intelligent Agents for Intrusion Detection, In Proceedings of the IEEE Information Technology Conference, Syracuse, NY, 121–124, September 1998.
K. Houle, G. Weaver, N. Long and R. Thomas, Trends in Denial of Service Attack Technology, CERT® Coordination Center, Pittsburgh, PA October 2001.
J.D. Howard, An Analysis of Security Incidents on the Internet, Carnegie Mellon University, Pittsburgh, PA 15213 Ph.D. dissertation, April 1997.
D. Hughes, TkLogger, ftp://coast.cs.purdue.edU/pub/tools/unix/tklogger.tar.Z
K. Ilgun, USTAT A Real-time Intrusion Detection System for UNIX, University of California Santa Barbara Master Thesis, 1992.
Internet Guide, Computer Viruses / Virus Guide, http://www.internet-guide.co.uk/viruses.html, 2002.
Internet Security Systems Wireless Products, Active Wireless Protection, An X-Force’s white paper, available at: documents.iss.net/whitepapers/ActiveWirelessProtection.pdf, September 2002.
Internet Security Systems, Inc., RealSecure, http://www.iss.net/prod/rsds.html, 1997.
Intrusion.com, Intrusion SecureHost, white paper available at: www.intrusion.com/products/hids.asp, 2003.
J. loannidis and S. Bellovin, Implementing Pushback: Router-Based Defense Against DDoS Attacks, In Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, February 2002.
K. Jackson, Intrusion Detection System Product Survey, Los Alamos National Laboratory Research Report, LA-UR-99-3883, June 1999.
R. Jagannathan, T. Lunt, D. Anderson, C. Dodd, F. Gilham, C. Jalali, H. Javitz, P. Neumann, A. Tamaru and A. Valdes, System Design Document: Next-Generation Intrusion Detection Expert System (NIDES). SRI International Technical Report A007/A008/A009/A011/A012/A014, March 1993.
W. Jansen and P. Mell, Mobile Agents in Intrusion Detection and Response, In Proceedings of the 12th Annual Canadian Information Technology Security Symposium, Ottawa, Canada, 2000.
H.S. Javitz and A. Valdes, The SRI IDES Statistical Anomaly Detector, In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, 1991.
N.D. Jayaram and P.L.R. Morse, Network Security-A Taxonomic View, In Proceedings of the European Conference on Security and Detection, School of Computer Science, University of Westminster, UK, Publication No. 437, 28–30, April 1997.
A. Jones and R. Sielken, Computer System Intrusion Detection, University of Virginia Technical Report, 1999.
M. Joshi, R. Agarwal and V. Kumar, PNrule, Mining Needles in a Haystack: Classifying Rare Classes via Two-Phase Rule Induction, In Proceedings of the ACM SIGMOD Conference on Management of Data, Santa Barbara, CA, May 2001.
M. Joshi, R. Agarwal and V. Kumar, Predicting Rare Classes: Can Boosting Make Any Weak Learner Strong?, In Proceedings of the Eight ACM Conference ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Edmonton, Canada, July 2002.
Y.F. Jou, F. Gong, C. Sargor, S.F. Wu and W.R. Cleaveland, Architecture Design of a Scalable Intrusion Detection System For The Emerging Network Infrastructure, MCNC Information Technologies Division, Research Triangle Park, NC 27709 Technical Report CDRL A005, April 1997.
K. Julisch, Mining Alarm Clusters to Improve Alarm Handling Efficiency, In Proceedings of the 17th Annual Conference on Computer Security Applications, New Orleans, LA, December 2001.
J. Jung, V. Paxson, A. W. Berger and H. Balakrishnan, Fast Portscan Detection Using Sequential Hypothesis Testing, In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May, 2004.
K. Kendall, A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems, Massachusetts Institute of Technology Master’s Thesis, 1998.
A.D. Keromytis, V. Misra and D. Rubenstein, SoS: Secure Overlay Services, In Proceedings of the ACM SIGCOMM Conference, Pittsburgh, PA, 61–72, August 2002.
D. Kienzle and M. Elder, Recent Worms. A Survey and Trends, In Proceedings of the The Workshop on Rapid Malcode (WORM 2003), held in conjunction with the 10th ACM Conference on Computer and Communications Security, Washington, DC, October 27, 2003.
G. Kim and E. Spafford, The Design and Implementation of Tripwire: A File System Integrity Checker, In Proceedings of the ACM Conference on Computer and Communications Security, COAST, Purdue University, IN, 18–29, November 1994.
E. Knorr and R. Ng, Algorithms for Mining Distance based Outliers in Large Data Sets, In Proceedings of the Very Large Databases (VLDB) Conference, New York City, NY, August 1998.
I.V. Krsul, Software Vulnerability Analysis, Purdue University Ph.D. dissertation, May 1998.
C. Kruegel and T. Toth, Distributed Pattern Detection For Intrusion Detection, In Proceedings of the Network and Distributed System Security Symposium Conference Proceedings, Internet Society, Los Angeles, CA, February 2002.
C. Krugel and T. Toth, A Survey on Intrusion Detection Systems, Technical University of Vienna Technical report, TUV-1841-00-11, 2000.
C. Krugel, T. Toth and E. Kirda, Service Specific Anomaly Detection for Network Intrusion Detection, In Proceedings of the ACM Symposium on Applied Computing, Madrid, Spain, March 2002.
S. Kumar, Classification and Detection of Computer Intrusion, Computer Science Department, Purdue University Ph.D. dissertation, August 1995.
S. Kumar and E. Spafford, An Application of Pattern Matching in Intrusion Detection, Purdue University Technical Report, 1994.
H. Kvarnstrom, A Survey of Commercial Tools for Intrusion Detection, Chalmers University of Technology, Göteborg, Sweden Technical Report, 1999.
C. Landwehr, A. Bull, J. McDermott and W. Choi, A Taxonomy of Computer Program Security Flaws, ACM Computing Surveys, vol. 26,3, pp. 211–254, September 1994.
T. Lane and C. Brodley, Temporal Sequence Learning and Data Reduction for Anomaly Detection, ACM Transactions on Information and System Security, vol. 2,3, pp. 295–331, 1999.
A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava and V. Kumar, A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection, In Proceedings of the Third SIAM International Conference on Data Mining, San Francisco, CA, May 2003.
A. Lazarevic, J. Srivastava and V. Kumar, Cyber Threat Analysis-A Key Enabling Technology for the Objective Force (A Case Study in Network Intrusion Detection), In Proceedings of the IT/C4ISR, 23rd Army Science Conference, Orlando, FL, December 2002.
W. Lee, S. Stolfo and P. Chan, Patterns from Unix Process Execution Traces for Intrusion Detection, In Proceedings of the AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, Providence, RI, July 1997.
W. Lee, S. Stolfo and K. Mok, Adaptive Intrusion Detection: A Data Mining Approach., Artificial Intelligence Review, vol. 14, pp. 533–567, 2001.
W. Lee and S.J. Stolfo, Data Mining Approaches for Intrusion Detection, In Proceedings of the USENIX Security Symposium, San Antonio, TX, January, 1998.
W. Lee and S.J. Stolfo, A Framework for Constructing Features and Models for Intrusion Detection Systems., ACM Transactions on Information and System Security, vol. 3,4, pp. 227–261, 2000.
W. Lee and D. Xiang, Information-Theoretic Measures for Anomaly Detection, In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2001.
G. Liepins and H. Vaccaro, Anomaly Detection Purpose and Framework, In Proceedings of the 12th National Computer Security Conference, Baltimore, MD, 495–504, October 1989.
G. Liepins and H. Vaccaro, Intrusion Detection: It’s Role and Validation, Computers and Security, pp. 347–355, 1992.
Y.X. Lim, T. Schmoyer, J. Levine and H.L. Owen, Wireless Intrusion Detection and Response, In Proceedings of the IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY, June 2003.
J.L Lin, X.S. Wang and S. Jajodia, Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies, In Proceedings of the 11th IEEE Computer Security Foundations Workshop, Rockport, MA, June 1998.
U. Lindqvist and E. Jonsson, How to Systematically Classify Computer Security Intrusions, IEEE Security and Privacy, pp. 154–163, 1997.
U. Lindqvist and P. A. Porras, Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST), In Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA, May 1999.
R. Lippmann, The Role of Network Intrusion Detection, In Proceedings of the Workshop on Network Intrusion Detection, H.E.A.T. Center, Aberdeen, MD, March 19–20, 2002.
R. Lippmann and R. Cunningham, Improving Intrusion Detection Performance Using Keyword Selection and Neural Networks, Computer Networks, vol. 34,4, pp. 597–603, 2000.
R. Lippmann, J.W. Haines, D.J. Fried, J. Korba and K. Das, The 1999 DARPA Off-Line Intrusion Detection Evaluation, Computer Networks, 2000.
R.P. Lippmann, R.K. Cunningham, D.J. Fried, I. Graf, K.R. Kendall, S.E. Webster and M.A. Zissman, Results of the DARPA 1998 Offline Intrusion Detection Evaluation, In Proceedings of the Workshop on Recent Advances in Intrusion Detection, (RAID-1999), West Lafayette, IN, September, 1999.
J. Lo, Trojan Horse Attacks, www.irchelp.org/irchelp/security/trojan.html, April 2004.
D. Lough, A Taxonomy of Computer Attacks with Applications to Wireless Networks, Virginia Polytechnic Institute PhD Thesis, April 2001.
T. Lunt, A Survey of Intrusion Detection techniques, Computers & Security, vol. 12,4, pp. 405–418, June 1993.
T. Lunt, R. Jagannathan, R. Lee, S. Listgarten, D.L. Edwards, P.G. Neumann, H.S. Javitz and A. Valdes, IDES: The Enhanced Prototype-A Real-Time Intrusion-Detection Expert System, SRI International Technical Report SRI-CSL-88-12.
T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, P.G. Neumann, H.S. Javitz, A. Valdes and T.D. Garvey, A Real Time Intrusion Detection Expert System (IDES), SRI Technical report, 1992.
T.F. Lunt, Real-Time Intrusion Detection, In Proceedings of the Thirty Fourth IEEE Computer Society International Conference (COMPCON), Intellectual Leverage, San Francisco, CA, February 1989.
J. Luo, Integrating Fuzzy Logic With Data Mining Methods for Intrusion Detection, Department of Computer Science, Mississippi State University Master’s thesis, 1999.
R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson and S. Shenker, Controlling High Bandwidth Aggregates in The Network, ACM Computer Communication Review, July 2001.
M. Mahoney and P. Chan, Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks, In Proceedings of the Eight ACM International Conference on Knowledge Discovery and Data Mining, Edmonton, Canada, 376–385, July 2002.
S. Manganaris, M. Christensen, D. Serkle and K. Hermiz, A Data Mining Analysis of RTID Alarms, Computer Networks, vol. 34,4, October 2000.
D. Marchette, Computer Intrusion Detection and Network Monitoring, A Statistical Viewpoint. New York, Springer, 2001.
J. Marin, D. Ragsdale and J. Surdu, A Hybrid Approach to Profile Creation and Intrusion Detection, In Proceedings of the DARPA Information Survivability Conference and Exposition, Anaheim, CA, June, 2001.
R. Maxion and K. Tan, Anomaly Detection in Embedded Systems, IEEE Transactions on Computers, vol. 51,2, pp. 108–120, 2002.
Mazu Profiler™, An Overview, http://www.mazunetworks.com/solutions/white_papers/download/Mazu_Profiler.pdf, December 2003.
M. Medina, A Layered Framework for Placement of Distributed Intrusion Detection Devices, In Proceedings of the 21st National Information Systems Security Conference (NISSC’98), Crystal City, VA, October 1998.
Meier. M. and M. Sobirey, Intrusion Detection Systems List and Bibliography, http://www-rnks.informatik.tu-cottbus.de/en/security/ids.html
Metropolitan, Metropolitan Network BBS, Inc., Kaspersky.ch, Computer Virus Classification, http://www.avp.ch/avpve/classes/classes.stm, 2003.
J. Mirkovic, G. Prier and P. Reiher, Attacking DDoS at the Source, 10th IEEE International Conference on Network Protocols, November 2002.
J. Mirkovic and P. Reiher, A Taxonomy of DDoS Attacks and Defense Mechanisms, ACM Computer Communication Review, April 2004.
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, The Spread of the Sapphire/Slammer Worm, http://www.cs.berkeley.edu/~nweaver/sapphire/, 2003.
D. Moore, G. M. Voeker and S. Savage, Inferring Internet Denial-of-Service Activity, USENIX Security Symposium, pp. 9–22, August 2001.
A. Mounji, Languages and Tools for Rule-Based Distributed Intrusion Detection, Facult es Universitaires Notre-Dame de la Paix, Namur, Belgium Doctor of Science Thesis, September 1997.
S. Mukkamala, G. Janoski and A. Sung, Intrusion Detection Using Neural Networks and Support Vector Machines, In Proceedings of the IEEE International Joint Conference on Neural Networks, Honolulu, HI, May 2002.
S. Mukkamala, A. Sung and A. Abraham, Intrusion Detection Systems Using Adaptive Regression Splines, In Proceedings of the 1st Indian International Conference on Artificial Intelligence (IICAI-03), Hyderabad, India, December 2003.
S. Mukkamala, A. Sung and A. Abraham, A Linear Genetic Programming Approach for Modeling Intrusion, In Proceedings of the IEEE Congress on Evolutionary Computation (CEC2003), Perth, Australia, December, 2003.
NAGIOS Network Monitoring Tool, www.nagios.org, February 2004.
Nessus Network Security Scanner, http://www.nessus.org/, 2004.
Netflow Tools, www.netflow.com
NetForensics®, Security Information Management, http://www.netforensics.com/
Network Associates, Inc., Cybercop server, http://www.nai.com/products/security/cybercopsvr/index.asp, 1998.
P. Neumann and P. Porras, Experience with Emerald to Date, In Proceedings of the First Usenix Workshop on Intrusion Detection and Network Monitoring, Santa Clara, CA, 1999.
P.G. Neumann, Computer Related Risks, The ACM Press, a division of the Association for Computing Machinery, Inc. (ACM), 1995.
P.G. Neumann and D.B. Parker, A Summary of Computer Misuse Techniques, In Proceedings of the 12th National Computer Security Conference, 396–407, 1989.
NFR Network Intrusion Detection, http://www.nfr.com/products/NID/, 2001.
P. Ning, Y. Cui and D. Reeves, Constructing Attack Scenarios through Correlation of Intrusion Alerts, In Proceedings of the 9th ACM Conference on Computer & Communications Security, Washington D.C., 245–254, November 2002.
S. Nomad, Distributed Denial of Service Defense Tactics, http://razor.bindview.com/publish/papers/strategies.html, 2/14/2000.
S. Northcutt, SHADOW, http://www.nswc.navy.mil/ISSEC/CID/, 1998.
K. P. Park and H. Lee, On the Effectiveness of Router-Based Packet Filtering for Distributed Dos Attack Prevention in Power-Law Internets, In Proceedings of the ACM SIGCOMM Conference, San Diego, CA, August 2001.
D.B. Parker, Computer Abuse Perpetrators and Vulnerabilities of Computer Systems, Stanford Research Institute, Menlo Park, CA 94025 Technical Report, December 1975.
D.B. Parker, COMPUTER CRIME Criminal Justice Resource Manual, U.S. Department of Justice National Institute of Justice Office of Justice Programs, Prepared by SRI International under contract to Abt Associates for National Institute of Justice, U.S. Department of Justice, contract #OJP-86-C-002., 1989.
V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time, In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998.
Pcap, libpcap, winpcap, libdnet, and libnet Applications and Resources, http://www.stearns.org/doc/pcap-apps.html, 2004.
T. Peng, C. Leckie and K. Ramamohanarao, Defending Against Distributed Denial of Service Attack Using Selective Pushback, In Proceedings of the Ninth IEEE International Conference on Telecommunications (ICT 2002), Beijing, China, June 2002.
P. Porras, D. Schanckernberg, S. Staniford-Chen, M. Stillman and F. Wu, Common Intrusion Detection Framework Architecture, http://www.gidos.org/drafts/ architecture.txt, 2001.
P.A. Porras and R.A. Kemmerer, Penetration State Transition Analysis: A Rule-Based Intrusion Detection Approach, In Proceedings of the Eighth Annual Computer Security Applications Conference, San Antonio, TX, December, 1992.
P.A. Porras and P.G. Neumann, EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances, In Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD., 353–365, October, 1997.
P.A. Porras and A. Valdes, Live Traffic Analysis of TCP/IP Gateways, In Proceedings of the ISOC Symposium on Network and Distributed System Security (NDSS’98), San Diego, CA, March 1998.
D. Powell and R. Stroud, Conceptual Model and Architecture, Deliverable D2, Project MAFTIA IST-1999-11583, IBM Zurich Research Laboratory Research Report RZ 3377, Nov. 2001.
Proventia™, Security’s Silver Bullet? An Internet Security Systems White Paper, available at:, http://documents.iss.net/whitepapers/ProventiaVision.pdf, 2003.
F. Provost and T. Fawcett, Robust Classification for Imprecise Environments, Machine Learning, vol. 42,3, pp. 203–231, 2001.
T.H. Ptacek and T.N. Newsham, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, Secure Networks, Inc Technical Report, January 1998.
Michael Puldy, Lessons Learned in the Implementation of a Multi-Location Network Based Real Time Intrusion Detection System, In Proceedings of the Workshop on Recent Advances in Intrusion Detection (RAID 98), Louvain-la-Neuve, Belgium, September 1998.
X. Qin and W. Lee, Statistical Causality Analysis of INFOSEC Alert Data, In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, September 2003.
S. Ramaswamy, R. Rastogi and K. Shim, Efficient Algorithms for Mining Outliers from Large Data Sets, In Proceedings of the ACM SIGMOD Conference, Dallas, TX, May 2000.
M.J. Ranum, K. Landfield, M. Stolarchuk, M. Sienkiewicz, A. Lambeth and Wall E., Implementing a Generalized Tool for Network Monitoring, In Proceedings of the Eleventh Systems Administration Conference (LISA’97), San Diego, CA, October 1997.
T. Richardson, The Development of a Database Taxonomy of Vulnerabilities to Support the Study of Denial of Service Attacks., Iowa State University PhD Thesis, 2001.
T. Richardson, J. Davis, D. Jacobson, J. Dickerson and L. Elkin, Developing a Database of Vulnerabilities to Support the Study of Denial of Service Attacks, IEEE Symposium on Security and Privacy, May 1999.
S. Robertson, E. Siegel, M. Miller and S. Stolfo, Surveillance Detection in High Bandwidth Environments, In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX 2003), Washington DC, April 2003.
P. Rolin, L. Toutain and S. Gombault, Network Security Probe, In Proceedings of the 2nd ACM Conference on Computer and Communication Security (ACM CCS’94), Fairfax, VA, 229–240, November 1994.
J. Ryan, M-J. Lin and R. Miikkulainen, Intrusion Detection with Neural Networks, In Proceedings of the AAA1 Workshop on AI Approaches to Fraud Detection and Risk Management, Providence, RI, 72–77, July 1997.
D. Safford, D. Schales and D. Hess, The Tamu Security Package: An Ongoing Response to Internet Intruders in an Academic Environment, In Proceedings of the Fourth USENIX Security Symposium, Santa Clara, CA, 91–118, October 1993.
S. Savage, D. Wetherall, A. Karlin and T. Anderson, Practical Network Support for IP Traceback, In Proceedings of the ACM SIGCOMM Conference, Stockholm, Sweden, 295–306, August 2000.
M. Schultz, E. Eskin, E. Zadok and S. Stolfo, Data Mining Methods for Detection of New Malicious Executables, In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 38–49, May 2001.
Secure Networks, Inc., Ballista Security Auditing System, http:// www.securenetworks.com/ballista/ballista.html, 1997.
SecurityTechNet.com Intrusion Detection Links, http://cnscenter.future.co.kr/security/ids.html, 2004.
R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang and S. Zhou, Specification Based Anomaly Detection: A New Approach for Detecting Network Intrusions, In Proceedings of the ACM Conference on Computer and Communications Security (CCS), Washington, D.C., November 2002.
A. Seleznyov and S. Puuronen, HIDSUR: A Hybrid Intrusion Detection System Based on Real-Time User Recognition, In Proceedings of the 11th International Workshop on Database and Expert Systems Applications (DEXA’00), Greenwich, London, UK, September, 2000.
K. Sequeira and M. Zaki, ADMIT: Anomaly-base Data Mining for Intrusions, In Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Edmonton, Canada, July 2002.
C. Sinclair, L. Pierce and S. Matzner, An Application of Machine Learning to Network Intrusion Detection, In Proceedings of the 15th Annual Computer Security Applications Conference, Phoenix, AZ, 371–377, December 1999.
S. Singh and Kandula S., Argus: A Distributed Network Intrusion Detection System, Indian Institute of Technology Kanpur, Department of Computer Science & Engineering, available at: http://www.cse.iitk.ac.in/research/btp2001/Argus.html Technical Report, 2001.
S. Smaha, Haystack: An Intrusion Detection System, In Proceedings of the Fourth Aerospace Computer Security Applications Conference, 37–44, October 1988.
S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, T. Heberlein, C. Ho, K.N. Levitt, B. Mukherjee, S.E. Smaha, T. Grance, D.M. Teal and D. Mansur, DIDS (Distributed Intrusion Detection System) Motivation, Architecture, and an Early Prototype, In Proceedings of the Nth National Computer Security Conference, Washington, DC, 167–176, October 1991.
A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E Jones, F. Tchakountio, S.T. Kent and W.T. Strayer, Hash-Based IP Traceback, In Proceedings of the ACM SIGCOMM Conference, San Diego, CA, 3–14, August 2001.
SNORT Intrusion Detection System, www.snort.org, 2004.
Snort-Wireless Intrusion Detection, http://snort-wireless.org, 2003.
A. Somayaji, S. Hofmeyr and S. Forrest, Principles of a computer immune system, In Proceedings of the New Security Paradigms Workshop, Langdale, Cumbria UK, 1997.
Sourcefire, Sourcefire Real-time Network Awareness™ (RNA), http:// www.sourcefire.com/products/rna.html, 2004.
E. Spafford and D. Zamboni, Intrusion Detection Using Autonomous Agents, Computer Networks, vol. 34, pp. 547–570, 2000.
P. Spirakis, S. Katsikas, D. Gritzalis, F. Allegre, J. Darzentas, C. Gigante, D. Karagiannis, P. Kess, H. Putkonen and T. Spyrou, SECURENET: A Network-Oriented Intelligent Intrusion Prevention And Detection System., Network Security Journal, vol. 1,1, November 1994.
T. Spyrou and J. Darzentas, Intention Modelling: Approximating Computer User Intentions for Detection and Prediction of Intrusions, In Proceedings of the Information Systems Security, Samos, Greece, 319–335, May 1996.
S. Staniford, J. Hoagland and J. McAlerney, Practical Automated Detection of Stealthy Portscans, Journal of Computer Security, vol. 10,1–2, pp. 105–136, 2002.
S. Staniford, V. Paxson and N. Weaver, How to Own the Internet in Your Spare Time, In Proceedings of the USENIX Security Symposium, San Francisco, CA, 149–167, August 2002.
S. Staniford-Chen, C.R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip and D. Zerkle, GrIDS-A Graph Based Intrusion Detection System for Large Networks, In Proceedings of the 19th National Information Systems Security Conference, Baltimore, MD.
S. Staniford-Chen, B. Tung, P. Porras, C. Kahn, D. Schnackenberg, R. Feiertag and M. Stillman, The Common Intrusion Detection Framework-Data Formats, Internet Draft Draft-ietf-cidf-data-formats-00.txt, March 1998.
R. Stone, Centertrack: An IP Overlay Network for Tracking DoS Floods, In Proceedings of the USENIX Security Symposium, Denver, CO, 199–212, July 2000.
SunSHIELD Basic Security Module Guide, http://docs.sun.com/db/doc/802-1965?q=BSM, 1995.
Symantec Intruder Alert, http://enterprisesecurity.symantec.com/products/ products.cfm?ProductID=171&EID=0, May 2004.
Symantec Security Response, W32.ExploreZip.L.Worm, http://securityresponse.symantec.com/avcenter/venc/data/w32. explorezip.l.worm.html, January 2003.
System Detection, Anomaly Detection: The Antura Difference, http:// www.sysd.com/library/anomaly.pdf, 2003.
Talisker’s Network Security Resource, http://www.networkintrusion.co.uk/ids.htm
TCPDUMP public repository, www.tcpdump.org
S. Templeton and K. Levit, A Requires/Provides Model for Computer Attacks, In Proceedings of the Workshop on New Security Paradigms, Ballycotton, Ireland, 2000.
B. Tod, Distributed Denial of Service Attacks, OVEN Digital, http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html, 2000.
A. Valdes, Detecting Novel Scans Through Pattern Anomaly Detection, In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX-III 2003), Washington, D.C., April 2003.
A. Valdes and K. Skinner, Adaptive, Model-based Monitoring for Cyber Attack Detection, In Proceedings of the Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, 80–92, October 2000.
A. Valdes and K. Skinner, Probabilistic Alert Correlation, In Proceedings of the Recent Advances in Intrusion Detection (RAID 2001), Davis, CA, October 2001.
J. Van Ryan, SAIC’s Center for Information Security, Technology Releases CMDS Version 3.5, http://www.saic.com/news/may98/news05-15-98.html, 1998.
Vicomsoft White Paper, Firewall White Paper-What Different Types of Firewalls are There?, available at:, http://www.firewall-software.com/firewall_faqs/ types_of_firewall.html, 2003.
G. Vigna and R.A. Kemmerer, Netstat: A Network-Based Intrusion Detection Approach, Journal of Computer Security, vol. 7,1, pp. 37–71, 1999.
D. Vincenzetti and M. Cotrozzi, ATP-Anti Tampering Program, In Proceedings of the Fourth USENIX Security Symposium, Santa Clara, CA, 79–89, October 1993.
D. Wagner and D. Dean, Intrusion Detection via Static Analysis, In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2001.
H. Wang, D. Zhang and K. Shin, Detecting SYN Flooding Attacks, In Proceedings of the IEEE Infocom, New York, NY, 000-001, June 2002.
N. Weaver, V. Paxson, S. Staniford and R. Cunningham, A Taxonomy of Computer Worms, In Proceedings of the The Workshop on Rapid Malcode (WORM 2003), held in conjunction with the 10th ACM Conference on Computer and Communications Security, Washington, DC, October 27, 2003.
A. Wespi, M. Dacier and H. Debar, Intrusion Detection Using Variable-Length Audit Trail Patterns, In Proceedings of the Recent Advances in Intrusion Detection (RAID-2000), Toulouse, FR, 110–129, October 2000.
WheelGroup Corporation, Cisco Secure Intrusion Detection System, http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/index.htm, 2004.
WIDZ Wireless Intrusion Detection System, www.loud-fat-bloke.co.uk/articles/widz_design.pdf.
D. Winer, Clay Shirky on P2P, davenet.scripting.com/2000/ll/15/clayShirkyOnP2p, November 2000.
J.R. Winkler, A Unix Prototype for Intrusion and Anomaly Detection in Secure Networks, In Proceedings of the 13th National Computer Security Conference, Baltimore, MD, October 1990.
J.R. Winkler and L.C. Landry, Intrusion and Anomaly Detection, ISOA Update, In Proceedings of the 15th National Computer Security Conference, Baltimore, MD, October 1992.
K. Yamanishi and J. Takeuchi, Discovering Outlier Filtering Rules from Unlabeled Data, In Proceedings of the Seventh ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, August 2001.
K. Yamanishi, J. Takeuchi, G. Williams and P. Milne, On-line Unsupervised Outlier Detection Using Finite Mixtures with Discounting Learning Algorithms, In Proceedings of the Sixth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Boston, MA, 320–324, August 2000.
N. Ye and Q. Chen, An Anomaly Detection Technique Based on a Chi-Square Statistic for Detecting Intrusions Into Information Systems, Quality and Reliability Engineering International, vol. 17,2, pp. 105–112, 2001.
N. Ye and X. Li, A Scalable Clustering Technique for Intrusion Signature Recognition, In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June, 2001.
Z. Zhang, J. Li, C.N. Manikopoulos, J. Jorgenson and J. Ucles, HIDE: A Hierarchical Network Intrusion Detection System Using Statistical Preprocessing and Neural Network Classification, In Proceedings of the IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June 2001.
E. Zwicky, S. Cooper, D. Chapman and D. Ru, Building Internet Firewalls, 2nd Edition ed, O’Reilly and Associates, 2000.
Editors and Affiliations
© 2005 Springer Science+Business Media, Inc.
About this chapter
Cite this chapter
Lazarevic, A., Kumar, V., Srivastava, J. (2005). Intrusion Detection: A Survey. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds) Managing Cyber Threats. Massive Computing, vol 5. Springer, Boston, MA. https://doi.org/10.1007/0-387-24230-9_2
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-24226-2
Online ISBN: 978-0-387-24230-9