Abstract
Monitoring and analysing Information system(IS)’s security events has become more and more difficult in the last few years. As IS complexity rises, the number of mandatory monitoring points has increased along with the number of deployed probes. Consequently, a huge amount of information is reported to the analyst which subsequently floods him and implies the implementation of very complex event analysis engines. In the behaviour analysis context in which sequences of events are studied, this information quantity issue makes it difficult to build automatable - not too complex - models. In order to cope with this increasing amount of information, we will describe a method to reduce the observation perimeter through the selection of most relevant indicators. Such indicators, which are defined thanks to users and attackers behaviour analysis, represent different actions that users or attackers perform in the IS. This method implies neither information loss nor significant detection rate decline. We experienced this indicators selection with a behaviour anomaly detection engines injecting few days of events. Results show that model complexity issues are significantly reduced while keeping detection rate almost the same.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Adballah Abbey Sebyala, Temitope Olukemi,Lionel Sacks. Active platform security through intrusion detection using naive bayesian network for anomaly detection. In Proceedings of the London Communications Symposium 2002, 2002.
A. Alharby and H. Imai. Security protocols protection based on anomaly detection. IEICE Transactions on Information and Systems, E89-D(1):189–200, 2006.
Anand Balachandran, Geoffrey M. Voelker, Paramvir Bahl, and P. Venkat Rangan. Characterizing user behavior and network performance in a public wireless lan. In SIGMETRICS ’02: Proceedings of the 2002 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pages 195–205, New York, NY, USA, 2002. ACM Press.
Fatiha Benali, Veronique Legrand, Sephane Ubeda. An ontology for the management of heteregenous alerts of information system. In SAM, 2007.
S. Chari and P. Cheng. Bluebox: A policy-driven, host-based intrusion detection system, 2003.
Fr’ed’eric Cuppens, Fabien Autrel, Alexandre Mi‘ege, and Salem Benferhat. Recognizing malicious intention in an intrusion detection process. In HIS, pages 806–817, 2002.
Olivier M. Dain, Robert K. Cunningham. Building scenarios from a heterogeneous alert stream. In IEEE SMC Information Assurance Workshop, 2001.
D. Denning. An intrusion detection model. In IEEE Transactions on Software Engeneering, pages SE–13:222–232, 1987.
William DuMouchel. Computer intrusion detection based on bayes factors for comparing command transition probabilities. Technical report, National Institute of Statistical Sciences (NISS), 1999.
Eleazar Eskin, Wenke Lee, and Salvatore J. Stolfo. Modelling system calls for intrusion detection with dynamic window sizes. In the DARPA Conference and Exposition on Information Survivability. DISCEX ’01, 2001.
Juan M. Estvez-Tapiador, Pedro Garcia-Teodoro, and Jess E. Daz-Verdejo. Anomaly detection methods in wired networks: a survey and taxonomy. Computer Communications, 27(16):1569–1584, 2004.
Annarita Giani, Ian Gregorio De Souza,Vincent Berk, George Cybenko. Attribution and aggregation of network flows for security analysis. In FloCon 2006, 2006.
Adam G. Pennington, John D. Strunk, John Linwood Griffin, Craig A.N. Soules, Garth R. Goodson, Gregory R. Ganger. Storage-based intrusion detection: Watching storage activity for suspicious behavior. In the 12th USENIX Security Symposium, 2003.
Ludovic Me and Cdric Michel. La dtection d’intrusions : bref aperu et derniers dveloppements. Actes du congrs EUROSEC’99, 1999.
B. Morin and H. Debar. Correlation of intrusion symptoms: an application of chronicles. In 6th International Conference on Recent Advances in Intrusion Detection (RAID’2003), 2003.
Jacques Saraydaryan, Veronique Legrand & Sephane Ubeda . Behavioral anomaly detection using bayesian modelization based on a global vision of the system. In 7eme Conference Internationale sur les NOuvelles TEchnologies de la REpartition (NOTERE 07), 2007.
Alexandr Seleznyov and Seppo Puuronen. Anomaly intrusion detection systems: Handling temporal relations between events. In Recent Advances in Intrusion Detection, 1999.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Saraydaryan, J., Paffumi, L., Legrand, V., Ubeda, S. (2008). Behavioral Intrusion Detection Indicators. In: Jajodia, S., Samarati, P., Cimato, S. (eds) Proceedings of The Ifip Tc 11 23rd International Information Security Conference. SEC 2008. IFIP – The International Federation for Information Processing, vol 278. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09699-5_21
Download citation
DOI: https://doi.org/10.1007/978-0-387-09699-5_21
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09698-8
Online ISBN: 978-0-387-09699-5
eBook Packages: Computer ScienceComputer Science (R0)