A Brief Observation-Centric Analysis on Anomaly-Based Intrusion Detection
This paper is focused on the analysis of the anomaly-based intrusion detectors’ operational capabilities and drawbacks, from the perspective of their operating environments, instead of the schemes per se. Based on the similarity with the induction problem, anomaly detection is cast in a statistical framework for describing their general anticipated behaviors. Several key problems and corresponding potential solutions about the normality characterization for the observable subjects from hosts and networks are addressed respectively, together with the case studies of several representative detection models. Anomaly detectors’ evaluation are also discussed briefly based on some existing achievements. Careful analysis shows that the fundamental understanding of the operating environments is the essential stage in the process of establishing an effective anomaly detection model, which therefore worth insightful exploration, especially when we face the dilemma between the detection performance and the computational cost.
KeywordsOperating Environment False Alarm Rate Intrusion Detection Anomaly Detection System Call
Unable to display preview. Download preview PDF.
- 3.Forrest, S., Hofmeyr, S.A., Longstaff, T.A.: A sense of self for UNIX processes. In: proceedings of 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
- 5.Helman, P., Liepins, G.: Statistical Foundataions of Audit Trail Analysis for the Detection of Computer Misuse. IEEE Transaction on Software Engineering 19(9) (September 1993)Google Scholar
- 6.Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security, 151–180 (1998)Google Scholar
- 7.Steiner, S.H.: Grouped Data Exponentially Weighted Moving Average Control Charts, Technical Report, Universtiy of Waterloo (1997)Google Scholar
- 9.Lee, W., Xiang, D.: Information-theoretic meaasures for anomaly detection. In: IEEE Symposium on Security and Privacy, Oakland, California, May 14-16, pp. 130–143. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
- 11.Maxion, R.A., Tan, K.M.C.: Anomaly Detection in Embedded Systems. IEEE Transaction on Computers 51(2) (February 2002)Google Scholar
- 13.Solomonoff, R.J.: Three Kinds of Probabilistic Induction: Universal Distributions and Convergence Theorems. Machine LearningGoogle Scholar
- 14.Tan, K.M.C., Maxion, R.A.: “Why 6” Defining the Operational Limites of stide, an Anomaly-Based Intrusion Detector. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, S&P 2002 (2002)Google Scholar
- 15.Warrender, C., Forrest, S., Pearlumtter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: 1999 IEEE Symposium on Security and Privacy (May 1999)Google Scholar
- 16.Ye, N., Li, X., Chen, Q., Emran, S.M., Xu, M.: Probabilistic Techniques for Intrusion Detection Based on Computer Audit Data. IEEE Transaction on Systems, Man, and Cybernetics-Part A:Systems and Humans 31(4) (July 2001)Google Scholar