Skip to main content
SpringerLink
Log in

Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5758))

Included in the following conference series:

Abstract

Anomaly-based intrusion detection systems are usually criticized because they lack a classification of attacks, thus security teams have to manually inspect any raised alert to classify it. We present a new approach, Panacea, to automatically and systematically classify attacks detected by an anomaly-based network intrusion detection system.

This research is supported by the research program Sentinels (http://www.sentinels.nl). Sentinels is being financed by Technology Foundation STW, the Netherlands Organization for Scientific Research (NWO), and the Dutch Ministry of Economic Affairs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ghosh, A., Schwartzbard, A.: A study in using neural networks for anomaly and misuse detection. In: SSYM 1999: Proc. 8th conference on USENIX Security Symposium, pp. 141–152. USENIX Association (1999)

    Google Scholar 

  2. Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: NDSS 2006: Proc. 13th ISOC Symposium on Network and Distributed Systems Security (2006)

    Google Scholar 

  3. Ning, P., Cui, Y., Reeves, D.: Constructing attack scenarios trough correlation of intrusion alerts. In: CCS 2002: Proc. 9th ACM Conference on Computer and Communication Security, pp. 245–254. ACM Press, New York (2002)

    Google Scholar 

  4. Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  5. Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  6. Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: CCS 2003: Proc. 10th ACM conference on Computer and Communications Security, pp. 200–209. ACM Press, New York (2003)

    Google Scholar 

  7. Valeur, F., Vigna, G., Kruegel, C., Kremmerer, R.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secur. Comput. 1(3), 146–169 (2004)

    Article  Google Scholar 

  8. Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: LISA 1999: Proc. 13th USENIX Conference on System Administration, pp. 229–238. USENIX Association (1999)

    Google Scholar 

  9. Sourcefire: Snort Network Intrusion Detection System, http://www.snort.org

  10. Damashek, M.: Gauging similarity with n-grams: Language-independent categorization of text. Science 267(5199), 843–848 (1995)

    Article  Google Scholar 

  11. Forrest, S., Hofmeyr, S.: A Sense of Self for Unix Processes. In: S&P 1996: Proc. 17th IEEE Symposium on Security and Privacy, pp. 120–128. IEEE Computer Society Press, Los Alamitos (2002)

    Google Scholar 

  12. Wang, K., Stolfo, S.: Anomalous Payload-Based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  13. Wang, K., Parekh, J., Stolfo, S.: Anagram: a Content Anomaly Detector Resistant to Mimicry Attack. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  14. Bloom, B.: Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13(7), 422–426 (1970)

    Article  MATH  Google Scholar 

  15. Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  16. Bolzoni, D., Crispo, B., Etalle, S.: ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. In: LISA 2007: Proc. 21st Large Installation System Administration Conference, pp. 141–152. USENIX Association (2007)

    Google Scholar 

  17. Meyer, D., Leisch, F., Hornik, K.: The support vector machine under test. Neurocomputing 55(1-2), 169–186 (2003)

    Article  Google Scholar 

  18. R Development Core Team: R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, http://www.R-project.org

  19. Lee, W.: A data mining framework for constructing features and models for intrusion detection systems. PhD thesis, Columbia University, New York, NY, USA (1999)

    Google Scholar 

  20. Lee, W., Fan, W., Miller, M., Stolfo, S., Zadok, E.: Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10(1-2), 5–22 (2002)

    Article  Google Scholar 

  21. Vapnik, V., Lerner, A.: Pattern recognition using generalized portrait method. Automation and Remote Control 24 (1963)

    Google Scholar 

  22. Boser, B., Guyon, I., Vapnik, V.: A training algorithm for optimal margin classifiers. In: Proc. 5th Annual ACM Workshop on Computational Learning Theory, pp. 144–152. ACM Press, New York (1992)

    Chapter  Google Scholar 

  23. Cohen, W.: Fast effective rule induction. In: Proc. 12th International Conference on Machine Learning, pp. 115–123. Morgan Kaufmann, San Francisco (1995)

    Google Scholar 

  24. The University of Waikato: Weka 3: Data Mining Software in Java, http://www.cs.waikato.ac.nz/ml/weka/

  25. Howard, J.: An analysis of security incidents on the Internet 1989-1995. PhD thesis, Carnegie Mellon University, Pittsburgh, PA, USA (1998)

    Google Scholar 

  26. Hansman, S., Hunt, R.: A taxonomy of network and computer attacks. Computers & Security 24(1), 31–43 (2004)

    Article  Google Scholar 

  27. Lippmann, R., Cunningham, R., Fried, D., Garfinkel, S., Gorton, A., Graf, I., Kendall, K., McClung, D., Weber, D., Webster, S., W̃yschogrod, D., Zissman, M.: The 1998 DARPA/AFRL off-line intrusion detection evaluation. In: RAID 1998: Proc. 1st International Workshop on the Recent Advances in Intrusion Detection (1998)

    Google Scholar 

  28. Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks: The International Journal of Computer and Telecommunications Networking 34(4), 579–595 (2000)

    Article  Google Scholar 

  29. Snort Team: Snort user manual, http://www.snort.org/docs/snort_htmanuals/htmanual_2832/node220.html

  30. Web Application Security Consortium: Web Security Threat Classification, http://www.webappsec.org/projects/threat/

  31. Tenable Network Security: Nessus Vulnerabilty Scanner, http://www.nessus.org/

  32. CIRT.net: Nikto web scanner, http://www.cirt.net/nikto2

  33. Milw0rm, http://milw0rm.com

  34. Bolzoni, D., Zambon, E., Etalle, S., Hartel, P.: POSEIDON: a 2-tier Anomaly-based Network Intrusion Detection System. In: IWIA 2006: Proc. 4th IEEE International Workshop on Information Assurance, pp. 144–156. IEEE Computer Society Press, Los Alamitos (2006)

    Google Scholar 

  35. Bolzoni, D., Etalle, S.: Boosting Web Intrusion Detection Systems by Inferring Positive Signatures. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 938–955. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  36. Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: An approach for the anomaly-based detection of state violations in web applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  37. Vigna, G., Robertson, W., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: CCS 2004: Proc. 11th ACM Conference on Computer and Communications Security, pp. 21–30. ACM Press, New York (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Damiano Bolzoni, Sandro Etalle & Pieter H. Hartel

  2. Eindhoven Technical University, The Netherlands

    Sandro Etalle

Authors
  1. Damiano Bolzoni
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sandro Etalle
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pieter H. Hartel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Eurecom, 2229 Route des Cretes, 06560, Sophia-Antipolis Cedex, France

    Engin Kirda  & Davide Balzarotti  & 

  2. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bolzoni, D., Etalle, S., Hartel, P.H. (2009). Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems. In: Kirda, E., Jha, S., Balzarotti, D. (eds) Recent Advances in Intrusion Detection. RAID 2009. Lecture Notes in Computer Science, vol 5758. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04342-0_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04342-0_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04341-3

  • Online ISBN: 978-3-642-04342-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation