Towards an Immunity-Based Anomaly Detection System for Network Traffic

  • Takeshi Okamoto
  • Yoshiteru Ishida
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4252)


We have applied our previous immunity-based system to anomaly detection for network traffic, and confirmed that our system outperformed the single-profile method. For internal masquerader detection, the missed alarm rate was 11.21% with no false alarms. For worm detection, four random-scanning worms and the simulated metaserver worm were detected with no missed alarms and no false alarms, while a simulated passive worm was detected with a missed alarm rate of 80.57%.


False Alarm Operation Sequence Legitimate User Request Sequence Internal User 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: ACSAC Security Conference, pp. 61–68 (2002)Google Scholar
  2. 2.
    Okamoto, T.: A Worm Filter Based on the Number of Unacknowledged Requests. In: Khosla, R., Howlett, R.J., Jain, L.C. (eds.) KES 2005. LNCS (LNAI), vol. 3682, pp. 93–99. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: The 2003 ACM Workshop on Rapid Malcode, pp. 11–18. ACM Press, New York (2003)CrossRefGoogle Scholar
  4. 4.
    Okamoto, T., Watanabe, T., Ishida, Y.: Towards an immunity-based system for detecting masqueraders. In: Palade, V., Howlett, R.J., Jain, L. (eds.) KES 2003. LNCS, vol. 2774, pp. 488–495. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Okamoto, T., Watanabe, T., Ishida, Y.: Mechanism for Generating Immunity-Based Agents that Detect Masqueraders. In: Negoita, M.G., Howlett, R.J., Jain, L.C. (eds.) KES 2004. LNCS (LNAI), vol. 3214, pp. 534–540. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Okamoto, T., Watanabe, Y., Ishida, Y.: Test statistics for a masquerader detection system – a comparison between hidden markov model and other probabilistic models. Transactions of the ISCIE 16(2), 61–69 (2003)Google Scholar
  7. 7.
    Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 58–74 (2001)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Takeshi Okamoto
    • 1
  • Yoshiteru Ishida
    • 2
  1. 1.Department of Network EngineeringKanagawa Institute of TechnologyAtsugiJapan
  2. 2.Department of Knowledge-Based Information EngineeringToyohashi University of TechnologyToyohashiJapan

Personalised recommendations