Towards a Theory of Intrusion Detection

  • Giovanni Di Crescenzo
  • Abhrajit Ghosh
  • Rajesh Talpade
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3679)


We embark into theoretical approaches for the investigation of intrusion detection schemes. Our main motivation is to provide rigorous security requirements for intrusion detection systems that can be used by designers of such systems. Our model captures and generalizes well-known methodologies in the intrusion detection area, such as anomaly-based and signature-based intrusion detection, and formulates security requirements based on both well-known complexity-theoretic notions and well-known notions in cryptography (such as computational indistinguishability).

Under our model, we present two efficient paradigms for intrusion detection systems, one based on nearest neighbor search algorithms, and one based on both the latter and clustering algorithms. Under formally specified assumptions on the representation of network traffic, we can prove that our two systems satisfy our main security requirement for an intrusion detection system. In both cases, while the potential truth of the assumption rests on heuristic properties of the representation of network traffic (which is hard to avoid due to the unpredictable nature of external attacks to a network), the proof that the systems satisfy desirable detection properties is rigorous and of probabilistic and algorithmic nature. Additionally, our framework raises open questions on intrusion detection systems that can be rigorously studied. As an example, we study the problem of arbitrarily and efficiently extending the detection window of any intrusion detection system, which allows the latter to catch attack sequences interleaved with normal traffic packet sequences. We use combinatoric tools such as time and space-efficient covering set systems to present provably correct solutions to this problem.


Intrusion Detection Security Requirement Intrusion Detection System Detection Phase Security Parameter 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anderson, J.: Computer Security Threat Monitoring and Surveillance. James P. Anderson Co., Fort Washington (1980)Google Scholar
  2. 2.
    Axelsson, S.: The Base-Rate Fallacy and its Implication for the Difficulty of Intrusion Detection. In: Proc. of ACM CCS (1999)Google Scholar
  3. 3.
    Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy, Technical Report 99-15, Depart. of Computer Engineering, Chalmers University (March 2000)Google Scholar
  4. 4.
    Borodin, A., Ostrovsky, R., Rabani, Y.: Subquadratic Approximation Algorithms For Clustering Problems in High Dimensional Spaces. In: Proc. of The 31’st ACM Symposium on Theory of Computing, STOC-1999 (1999)Google Scholar
  5. 5.
  6. 6.
    Desmedt, Y., Kurosawa, K.: How to break a practical MIX and design a new one. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 557. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Denning, D.E.: An Intrusion Detection Model. IEEE Transactions on Software Engineering SE-13(2), 222–232 (1987)Google Scholar
  8. 8.
    Esmaili, M., Safavi Naini, R., Pieprzyk, J.: Intrusion Detection: A Survey. In: Proc. of ICCC (1995)Google Scholar
  9. 9.
    Gordon, D.: La Jolla Covering Repository, website:
  10. 10.
    Gordon, D., Kuperberg, G., Patashnik, O.: New Constructions for Covering Designs. Journal of Combinatorial Designs 3, 269–284 (1995)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Gordon, D., Kuperberg, G., Patashnik, O., Spencer, J.: Asymptotically Optimal Covering Designs. Journal of Combinatorial Theory A 75, 220–240 (1996)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Goldwasser, S., Micali, S.: Probabilistic Encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Kushilevitz, E., Ostrovsky, R., Rabani, Y.: Efficient Search for Approximate Nearest Neighbor in High Dimensional Spaces. In: Proc. of the 30’s ACM Symposium on Theory of Computing, STOC-1998 (1998)Google Scholar
  14. 14.
    Lee, W.: A Data Mining Framework for Building Intrusion Detection Models. In: Proc. of IEEE Symposium on Security and Privacy (1999)Google Scholar
  15. 15.
    Lunt, T.: Automated Audit Trail Analysis and Intrusion Detection: A Survey. In: Proc. of 11th National Computer Security Conference (1988)Google Scholar
  16. 16.
    McAuliffe, N., Wolcott, D., Schaefer, L., Kelem, N., Hubbard, B., Haley, T.: Is Your Computer Being Misused? A Survey of Current Intrusion Detection System Technology. In: Proc. of 6th IEEE Computer Security Applications Conference (1990)Google Scholar
  17. 17.
  18. 18.
    Nurmela, K., Ostergard, P.: Upper Bounds for Covering Designs by Simulated Annealing. Congressum Numerantium 96, 93–111 (1993)zbMATHMathSciNetGoogle Scholar
  19. 19.
    Rees, R., Stinson, D.R., Wei, R., van Rees, G.H.J.: An application of covering designs: Determining the maximum consistent set of shares in a threshold scheme. Ars Combinatoria 531, 225–237 (1999)MathSciNetGoogle Scholar
  20. 20.
    Schonheim, J.: On Coverings. Pacific Journal of Mathematics 14, 1405–1411 (1964)MathSciNetGoogle Scholar
  21. 21.
    Colbourn, C., Dinitz, J.: The CRC Handbook of Combinatorial Designs. CRC Press, Boca Raton (1996); (see D. R. Stinson, Coverings, pp. 260–265)Google Scholar
  22. 22.
  23. 23.
    Flowtools public-domain software,
  24. 24.
    Yao, A.: Theory and Application of Trapdoor Functions. In: Proc. of FOCS 1985 (1985)Google Scholar
  25. 25.
    Ghosh, A., Wong, L., Di Crescenzo, G., Talpade, R.: Infilter: Predictive Ingress Filtering to Detect IP Spoofed Traffic. In: 2nd International Workshop on Security in Distributed Computing Systems, SDCS 2005 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Giovanni Di Crescenzo
    • 1
  • Abhrajit Ghosh
    • 1
  • Rajesh Talpade
    • 1
  1. 1.Telcordia TechnologiesPiscatawayUSA

Personalised recommendations