Advertisement

A Case-Based Approach to Anomaly Intrusion Detection

  • Alessandro Micarelli
  • Giuseppe Sansonetti
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4571)

Abstract

The architecture herein advanced finds its rationale in the visual interpretation of data obtained from monitoring computers and computer networks with the objective of detecting security violations. This new outlook on the problem may offer new and unprecedented techniques for intrusion detection which take advantage of algorithmic tools drawn from the realm of image processing and computer vision. In the system we propose, the normal interaction between users and network configuration is represented in the form of snapshots that refer to a limited number of attack-free instances of different applications. Based on the representations generated in this way, a library is built which is managed according to a case-based approach. The comparison between the query snapshot and those recorded in the system database is performed by computing the Earth Mover’s Distance between the corresponding feature distributions obtained through cluster analysis.

Keywords

Intrusion Detection System Call Intrusion Detection System Jaccard Distance Anomaly Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aamodt, A., Plaza, E.: Case-based Reasoning: Foundational Issues, Methodological Variations and System Approaches. AICOM 7(1), 39–59 (1994)Google Scholar
  2. 2.
    Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy. In: Proceedings of the 6th ACM Conference on Computer and Communications Security, Singapore, November 1999, pp. 1–7. ACM Press, New York (1999)CrossRefGoogle Scholar
  3. 3.
    Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy. Technical Report 99-15, Department of Computer Engineering, Chalmers University (March 2000)Google Scholar
  4. 4.
    Axelsson, S., Lindqvist, U., Gustafson, U., Jonsson, E.: An Approach to UNIX Security Logging. In: Proceedings of the 21st NIST-NCSC National Information Systems Security Conference, Crystal City, VA, October 1998, pp. 62–75 (1998)Google Scholar
  5. 5.
    Becker, R., Eick, S.G., Wilks, A.: Visualizing Network Data. IEEE Transactions on Visualization and Computer Graphics 1(1), 16–28 (1995)CrossRefGoogle Scholar
  6. 6.
    Del Bimbo, A.: Visual Information Retrieval. Morgan Kaufmann Publishers, Inc., San Francisco, CA (1999)Google Scholar
  7. 7.
    Couch, A.: Visualizing Huge Tracefiles with Xscal. In: LISA 1996. 10th Systems Administration Conference, Chicago, IL, October 1996, pp. 51–58 (1996)Google Scholar
  8. 8.
    Debar, H., Dacier, M., Wespi, A.: Towards a Taxonomy of Intrusion Detection Systems. Computer Networks 31(8), 805–822 (1999)CrossRefGoogle Scholar
  9. 9.
    Erbacher, R.: Visual Traffic Monitoring and Evaluation. In: Proceedings of the Second Conference on Internet Performance and Control of Network Systems, Denver, CO, August 2001, pp. 153–160 (2001)Google Scholar
  10. 10.
    Erbacher, R., Frincke, D.: Visualization in Detection of Intrusions and Misuse in Large Scale Networks. In: Proceedings of the International Conference on Information Visualization 2000, London, UK, July 2000, pp. 294–299 (2000)Google Scholar
  11. 11.
    Esmaili, M., Safavi-Naini, R., Balachandran, B.M.: AUTOGUARD: A Continuous Case-Based Intrusion Detection System. In: Proceedings of the 20th Australasian Computer Science Conference (1997)Google Scholar
  12. 12.
    Smeulders, A.W., et al.: Content-Based Image Retrieval at the End of the Early Years. IEEE Transactions on Pattern Analysis and Machine Intelligence 22(12), 1349–1380 (2000)CrossRefGoogle Scholar
  13. 13.
    Nyarko, K., et al.: Network Intrusion Visualization with NIVA, an Intrusion Detection Visual Analyzer with Haptic Integration. In: Proceedings of the 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems, Orlando, FL (2002)Google Scholar
  14. 14.
    Esmaili, M., et al.: Case-Based Reasoning for Intrusion Detection. In: Proceedings of the 12th Annual Computer Security Applications Conference, San Diego, CA (1996)Google Scholar
  15. 15.
    Lippmann, R.P., et al.: Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation. In: Proceedings of Recent Advances in Intrusion Detection, Toulouse, France, pp. 162–182 (2000)Google Scholar
  16. 16.
    Forrest, S.: A Sense of Self for UNIX Processes. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, pp. 120–198. IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
  17. 17.
    Forsyth, D., Ponce, J.: Computer Vision: A Modern Approach. Prentice-Hall, Inc., Upper Saddle River, NJ (2003)Google Scholar
  18. 18.
    Frank, J.: Artificial Intelligence and Intrusion Detection: Current and Future Directions. In: Proceedings of the 17th National Computer Security Conference, Washington, DC, pp. 22–33 (1994)Google Scholar
  19. 19.
    Frincke, D., Tobin, D., McConnell, J., Marconi, J., Polla, D.: A Framework for Cooperative Intrusion Detection. In: Proceedings of the 21th National Information Systems Security Conference, Crystal City, VA, October 1998, pp. 361–373 (1998)Google Scholar
  20. 20.
    Girardin, L., Brodbeck, D.: A Visual Approach for Monitoring Logs. In: Proceedings of the Second Systems Administration Conference (LISA XII), Boston, MA, October 1998, pp. 299–308 (1998)Google Scholar
  21. 21.
    He, T., Eick, S.G.: Constructing Interactive Visual Network Interfaces. Bells Labs Technical Journal 3(2), 47–57 (1998)CrossRefGoogle Scholar
  22. 22.
    Hendee, W., Wells, P.: The Perception of Visual Information. Springer, Heidelberg (1994)Google Scholar
  23. 23.
    Hughes, D.: Using Visualization in System and Network Administration. In: LISA 1996. Proceedings of the 10th Systems Administration Conference, Chicago, IL, October 1996, pp. 59–66 (1996)Google Scholar
  24. 24.
    Jain, R.: Proceedings of US NSF Workshop Visual Information Management Systems (1992)Google Scholar
  25. 25.
    Kolodner, J.: Case-Based Reasoning. Morgan Kaufmann Publishers, Inc., San Mateo, CA (1993)Google Scholar
  26. 26.
    Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)Google Scholar
  27. 27.
    Mizoguchi, F.: Anomaly Detection Using Visualization and Machine Learning. In: WET ICE 2000. Proceedings of the 9th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, Gaithersburg, MD, March 2000, pp. 165–170 (2000)Google Scholar
  28. 28.
    Rubner, Y., Tomasi, C., Guibas, L.J.: A Metric for Distributions with Applications to Image Databases. In: Proceedings of the IEEE International Conference on Computer Vision, Bombay, India, January 1998, pp. 59–66. IEEE Computer Society Press, Los Alamitos (1998)Google Scholar
  29. 29.
    Rubner, Y., Tomasi, C., Guibas, L.J.: The Earth Mover’s Distance as a Metric for Image Retrieval. International Journal of Computer Vision 28(40), 99–121 (2000)CrossRefGoogle Scholar
  30. 30.
    Shapiro, L.G., Stockman, G.C.: Computer Vision. Prentice-Hall, Inc., Upper Saddle River, NJ (2001)Google Scholar
  31. 31.
    Snapp, S.: DIDS (Distributed Intrusion Detection System): Motivation, Architecture and An Early Prototype. In: Proceedings of the National Information Systems Security Conference, Washington, DC, October 1991, pp. 167–176 (1991)Google Scholar
  32. 32.
    Takada, T., Koike, H.: Tudumi: Information Visualization System for Monitoring and Auditing Computer Logs. In: IV 2002. Proceedings of the 6th International Conference on Information Visualization, London, England, July 2002, pp. 570–576 (2002)Google Scholar
  33. 33.
    Tan, K., Killourhy, K., Maxion, R.: Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, Springer, Heidelberg (2002)CrossRefGoogle Scholar
  34. 34.
    Varner, P.E., Knight, J.C.: Security Monitoring, Visualization, and System Survivability. In: ISW-2001/2002. 4th Information Survivability Workshop Vancouver, Canada (March 2002) (2002)Google Scholar
  35. 35.
    Veltkamp, R.C., Tanase, M.: Content-Based Image Retrieval Systems: A Survey. Technical Report 2000-34, UU-CS, Utrecht, Holland (October 2000)Google Scholar
  36. 36.
    Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, pp. 40–47. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  37. 37.
    Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, pp. 255–264. ACM Press, New York (2002)CrossRefGoogle Scholar
  38. 38.
    Watson, I.: Case-Based Reasoning: Techniques for Enterprise Systems. Morgan Kaufmann Publishers, Inc., San Francisco (1997)MATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Alessandro Micarelli
    • 1
  • Giuseppe Sansonetti
    • 1
  1. 1.Department of Computer Science and Automation, Artificial Intelligence Laboratory, Roma Tre University, Via della Vasca Navale, 79, 00146 RomeItaly

Personalised recommendations