Anomalieerkennung in Computernetzen

  • Philipp Winter
  • Harald Lampesberger
  • Markus Zeilinger
  • Eckehard Hermann


Seit Dekaden wird bereits an Anomalieerkennung in Computernetzen geforscht. Maßgebliche Erfolge blieben bis heute allerdings aus. Zwar werden regelmäßig Verfahren publiziert, die auf dem Papier viel versprechende Ergebnisse bringen, doch kaum eines schafft es, auch in der Praxis Einsatz zu finden. Der Beitrag zeigt die Gründe dafür auf und stellt vor, wie diesem Phänomen begegnet werden kann.


  1. [1]
  2. [2]
    Bro Intrusion Detection System,
  3. [3]
    D. E. Denning, „An intrusion-detection model,“ IEEE Trans. Softw. Eng., vol. 13, pp. 222–232, February 1987.CrossRefGoogle Scholar
  4. [4]
    R. Sommer and V. Paxson, “Outside the closed world: On using machine learning for network intrusion detection,” IEEE Symposium on Security and Privacy, pp. 305–316, 2010.Google Scholar
  5. [5]
    S. Axelsson, “The base-rate fallacy and its implications for the difficulty of intrusion detection,” in CCS’ 99: Proceedings of the 6th ACM conference on Computer and Communications Security. New York, NY, USA: ACM, 1999, pp. 1–7.Google Scholar
  6. [6]
    D. J. Fried, I. Graf, J. W. Haines, K. R. Kendall, D. Mcclung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman, “Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation,” in Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, 2000, pp. 12–26.Google Scholar
  7. [7]
    R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das, “The 1999 darpa off-line intrusion detection evaluation,” Computer Networks, vol. 34, no. 4, pp. 579–595, 2000.CrossRefGoogle Scholar
  8. [8]
    M. V. Mahoney and P. K. Chan, “Learning nonstationary models of normal network traffic for detecting novel attacks,” in KDD’ 02: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. New York, NY, USA: ACM, 2002, pp. 376–385.CrossRefGoogle Scholar
  9. [9]
    M. V. Mahoney, “Network traffic anomaly detection based on packet bytes,” in SAC’ 03: Proceedings of the 2003 ACM symposium on Applied computing. New York, NY, USA: ACM, 2003, pp. 346–350.CrossRefGoogle Scholar
  10. [10]
    Y.-l. Zhang, Z.-g. Han, and J.-x. Ren, “A network anomaly detection method based on relative entropy theory,” in ISECS’ 09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security. Washington, DC, USA: IEEE Computer Society, 2009, pp. 231–235.CrossRefGoogle Scholar
  11. [11]
    M. V. Mahoney and P. K. Chan, “An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection,” in Proceedings of the Sixth International Symposium on Recent Advances in Intrusion Detection. Springer, 2003, pp. 220–237.Google Scholar
  12. [12]
    J. McHugh, “Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory,” ACM Trans. Inf. Syst. Secur., vol. 3, no. 4, pp. 262–294, 2000.CrossRefGoogle Scholar
  13. [13]
    C. Gates and C. Taylor, “Challenging the anomaly detection paradigm: a provocative discussion,” in Proceedings of the 2006 workshop on New security paradigms, ser. NSPW’ 06. New York, NY, USA: ACM, 2007, pp. 21–29.Google Scholar
  14. [14]
    Early Warning Research Lab (ewrl),
  15. [15]
    A. Wagner and B. Plattner, “Entropy based worm and anomaly detection in fast ip networks,” in Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise. Washington, DC, USA: IEEE Computer Society, 2005, pp. 172–177.Google Scholar
  16. [16]
    G. Nychis, V. Sekar, D. G. Andersen, H. Kim, and H. Zhang, “An empirical evaluation of entropy-based traffic anomaly detection,” in Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, ser. IMC’ 08. New York, NY, USA: ACM, 2008, pp. 151–156.CrossRefGoogle Scholar
  17. [17]
    A. Sperotto, G. Vliek, R. Sadre, and A. Pras, “Detecting spam at the network level,” in Proceedings of the 15th Open European Summer School and IFIP TC6.6 Workshop, EUNICE 2009, Barcelona, ser. Lecture Notes in Computer Science, vol. 5733. Berlin: Springer Verlag, August 2009, pp. 208–216.Google Scholar
  18. [18]
    2010 CWE/SANS Top 25 Most Dangerous Software Errors,
  19. [19]
    C. Kruegel and G. Vigna, “Anomaly detection of web-based attacks,” in CCS’ 03: Proceedings of the 10th ACM conference on Computer and communications security. New York, NY, USA: ACM, 2003, pp. 251–261.CrossRefGoogle Scholar
  20. [20]
    K. Wang and S. J. Stolfo, “Anomalous payloadbased network intrusion detection,” in Recent Advances in Intrusion Detection, ser. Lecture Notes in Computer Science, vol. 3224. Springer Berlin / Heidelberg, 2004, pp. 203–222.Google Scholar
  21. [21]
    K. Wang, J. J. Parekh, and S. J. Stolfo, “Anagram: A content anomaly detector resistant to mimicry attack,” in Recent Advances in Intrusion Detection, ser. Lecture Notes in Computer Science, vol. 4219. Springer Berlin / Heidelberg, 2006, pp. 226–248.Google Scholar
  22. [22]
    R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee, “Mcpad: A multiple classifier system for accurate payload-based anomaly detection,” Computer Networks, vol. 53, no. 6, pp. 864–881, 2009, traffic Classification and Its Applications to Modern Networks.CrossRefGoogle Scholar
  23. [23]
    Y. Song, A. D. Keromytis, and S. J. Stolfo, “Spectrogram: A mixture-of-markov-chains model for anomaly detection in web traffic,” in Proc. of Network and Distributed System Security Symposium (NDSS), 2009.Google Scholar
  24. [24]
    T. Krueger, C. Gehl, K. Rieck, and P. Laskov, “Tokdoc: a self-healing web application firewall,” in SAC’ 10: Proceedings of the 2010 ACM Symposium on Applied Computing. New York, NY, USA: ACM, 2010, pp. 1846–1853.CrossRefGoogle Scholar
  25. [25]
    R. Begleiter, R. El-Yaniv, and G. Yona, “On prediction using variable order markov models,” J. Artif.Int. Res., vol. 22, no. 1, pp. 385–421, 2004.MathSciNetzbMATHGoogle Scholar

Copyright information

© Springer Fachmedien Wiesbaden 2011

Authors and Affiliations

  • Philipp Winter
    • 1
  • Harald Lampesberger
    • 1
  • Markus Zeilinger
    • 2
  • Eckehard Hermann
    • 2
  1. 1.FH-OberösterreichWelsÖsterreich
  2. 2.Kommunikation und MedienFH-OberösterreichWelsÖsterreich

Personalised recommendations