Towards an Immunity-Based Anomaly Detection System for Network Traffic
We have applied our previous immunity-based system to anomaly detection for network traffic, and confirmed that our system outperformed the single-profile method. For internal masquerader detection, the missed alarm rate was 11.21% with no false alarms. For worm detection, four random-scanning worms and the simulated metaserver worm were detected with no missed alarms and no false alarms, while a simulated passive worm was detected with a missed alarm rate of 80.57%.
KeywordsFalse Alarm Operation Sequence Legitimate User Request Sequence Internal User
Unable to display preview. Download preview PDF.
- 1.Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: ACSAC Security Conference, pp. 61–68 (2002)Google Scholar
- 6.Okamoto, T., Watanabe, Y., Ishida, Y.: Test statistics for a masquerader detection system – a comparison between hidden markov model and other probabilistic models. Transactions of the ISCIE 16(2), 61–69 (2003)Google Scholar