Detection Approaches

  • Ali A. Ghorbani
  • Wei Lu
  • Mahbod Tavallaee
Part of the Advances in Information Security book series (ADIS, volume 47)


The basic principle of intrusion detection is based on the assumption that intrusive activities are noticeably different from normal ones and thus are detectable [16]. Many intrusion detection approaches have been suggested in the literature since Anderson’s seminal report [5]. Traditionally these approaches are classified into three categories: misuse detection, anomaly detection and specification-based detection. Anomaly based intrusion detection approaches are dedicated to establishing a model of the data flow that is monitored under normal conditions without the presence of any intrusive procedures. In contrast, misuse detection approaches aim to encode knowledge about patterns in the data flow that are known to correspond to intrusive procedures in form of specific signatures. In specification based detection approaches, security experts predefine the allowed system behaviors and thus events that do not match the specifications are labeled as attacks. In this chapter we discuss these different approaches in detail and summarize some representative examples in each category.


False Alarm Rate Intrusion Detection Anomaly Detection Intrusion Detection System Misuse Detection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    T. Abbes, A. Bouhoula, and M. Rusinowitch, Protocol analysis in intrusion detection using decision tree, Proceedings of International Conference on Information Technology: Coding and Computing (ITCC), vol. 1, 2004.Google Scholar
  2. 2.
    A.A.E. Ahmed and I. Traore, Detecting computer intrusions using behavioral biometrics, Third Annual Conference on Privacy, Security and Trust (PST), 2005.Google Scholar
  3. 3.
    D. Anderson, T. Frivold, and A. Valdes, Next-generation intrusion detection expert system (NIDES): A summary, SRI International, Computer Science Laboratory, 1995.Google Scholar
  4. 4.
    D. Anderson, T.F. Lunt, H. Javitz, A. Tamaru, and A. Valdes, Detecting unusual program behavior using the statistical component of the Next-generation Intrusion Detection Expert System (NIDES), SRI International, Computer Science Laboratory, 1995.Google Scholar
  5. 5.
    J.P. Anderson, Computer security threat monitoring and surveillance, (1980).Google Scholar
  6. 6.
    S. Antonatos, K.G. Anagnostakis, and E.P. Markatos, Generating realistic workloads for network intrusion detection systems, ACM SIGSOFT Software Engineering Notes 29 (2004), no. 1, 207–215.CrossRefGoogle Scholar
  7. 7.
    S. Axelsson, Intrusion detection systems: A survey and taxonomy, Tech. Report 99–15, Chalmers University of Technology, Department of Computer Engineering, 2000.Google Scholar
  8. 8.
    B. Balajinath and SV Raghavan, Intrusion detection through learning behavior model, Computer Communications 24 (2001), no. 12, 1202–1212.CrossRefGoogle Scholar
  9. 9.
    P. Barford and D. Plonka, Characteristics of network traffic flow anomalies, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, ACM New York, NY, USA, 2001, pp. 69–73.Google Scholar
  10. 10.
    Paul Barford, Jeffery Kline, David Plonka, and Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the second ACM SIGCOMM Workshop on Internet measurment (Marseille, France), SIGCOMM: ACM Special Interest Group on Data Communication, ACM Press New York, NY, USA, 2002, pp. 71–82.CrossRefGoogle Scholar
  11. 11.
    M.M. Breunig, H.P. Kriegel, R.T. Ng, and J. Sander, LOF: identifying density-based local outliers, ACM SIGMOD Record 29 (2000), no. 2, 93–104.CrossRefGoogle Scholar
  12. 12.
    S.M. Bridges and R.B. Vaughn, Fuzzy data mining and genetic algorithms applied to intrusion detection, Proceedings of the Twenty-third National Information Systems Security Conference, National Institute of Standards and Technology, October 2000.Google Scholar
  13. 13.
    A. Chittur, Model generation for an intrusion detection system using genetic algorithms, High School Honors Thesis, Ossining High School in cooperation with Columbia University (2001).Google Scholar
  14. 14.
    M. Crosbie and E. H. Spafford, Applying genetic programming to intrusion detection, Proceedings of the 1995 AAAI Fall Symposium on Genetic Programming, November 1995.Google Scholar
  15. 15.
    H. Debar, M. Becker, and D. Siboni, A neural network component for an intrusion detection system, Proceedings of the 1992 IEEE Symposium on Security and Privacy, 1992, pp. 240–250.Google Scholar
  16. 16.
    DE Denning, An intrusion-detection model, IEEE Transactions on software engineering (1987), 222–232.Google Scholar
  17. 17.
    O. Depren, M. Topallar, E. Anarim, and M.K. Ciliz, An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks, Expert systems with Applications 29 (2005), no. 4, 713–722.CrossRefGoogle Scholar
  18. 18.
    P. D'haeseleer, S. Forrest, and P. Helman, An immunological approach to change detection: algorithms, analysis, and implications, IEEE Symposium on Security and Privacy, IEEE COMPUTER SOCIETY, 1996, pp. 110–119.Google Scholar
  19. 19.
    S.M. Emran and N. Ye, Robustness of canberra metric in computer intrusion detection, Proceedings of the IEEE Workshop on Information Assurance and Security, West Point, NY, USA, 2001, pp. 80–84.Google Scholar
  20. 20.
    E. Eskin, Anomaly detection over noisy data using learned probability distributions, In Proceedings of the Seventeenth International Conference on Machine Learning (ICML'00), 2000, pp. 255–262.Google Scholar
  21. 21.
    E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, A geometric framework for unsupervised anomaly detection, Applications of Data Mining in Computer Security (2002), 77–101.Google Scholar
  22. 22.
    S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff, A sense of self for unix processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy (Los Alamitos, CA), IEEE Computer Society Press, 1996, p. 120128.Google Scholar
  23. 23.
    S. Forrest, S.A. Hofmeyr, and A. Somayaji, Computer immunology, Communications of the ACM 40 (1997), no. 10, 88–96.CrossRefGoogle Scholar
  24. 24.
    S. Forrest, AS Perelson, L. Allen, and R. Cherukuri, Self-nonself discrimination in a computer, Proceedings of the Symposium on Research in Security and Privacy, 1994, pp. 202–212.Google Scholar
  25. 25.
    AK Ghosh, J. Wanken, and F. Charron, Detecting anomalous and unknown intrusions against programs, Proceedings of the 14th Annual Computer Security Applications Conference (ACSAC'98), 1998, pp. 259–267.Google Scholar
  26. 26.
    J. Gómez, D. Dasgupta, O. Nasraoui, and F. Gonzalez, Complete expression trees for evolving fuzzy classifier systems with genetic algorithms, Proceedings of the North American Fuzzy Information Processing Society Conference (NAFIPS-FLINTS), 2002, pp. 469–474.Google Scholar
  27. 27.
    M. Dacier H. Debar and A. Wespi, A revised taxonomy for intrusion-detection systems, Tech. report, IBM Research Report, 1999.Google Scholar
  28. 28.
    LT Heberlein, GV Dias, KN Levitt, B. Mukherjee, J. Wood, and D. Wolber, A network security monitor, Proceedings of the Symposium on Research in Security and Privacy (Oakland, CA), 1990, pp. 296–304.Google Scholar
  29. 29.
    J. Hochberg, K. Jackson, C. Stallings, JF McClary, D. DuBois, and J. Ford, NADIR: An automated system for detecting network intrusion and misuse, Computers and Security 12 (1993), no. 3, 235–248.CrossRefGoogle Scholar
  30. 30.
    K. Hwang, M. Cai, Y. Chen, and M. Qin, Hybrid intrusion detection with weighted signature generation over anomalous internet episodes, IEEE Transactions on Dependable and Secure Computing (2007), 41–55.Google Scholar
  31. 31.
    K. Ilgun, USTAT: A real-time intrusion detection system for UNIX, Proceedings of the IEEE Symposium on Security and Privacy, 1993, pp. 16–28.Google Scholar
  32. 32.
    K. Ilgun, R.A. Kemmerer, and P.A. Porras, State transition analysis: A rule-based intrusion detection approach, IEEE transactions on software engineering 21 (1995), no. 3, 181–199.CrossRefGoogle Scholar
  33. 33.
    KA Jackson, DH DuBois, and CA Stallings, An expert system application for network intrusion detection, Proceedings of the National Computer Security Conference, vol. 1, 1991.Google Scholar
  34. 34.
    Harold S. Javitz, A. Valdez, T. Lunt, and M. Tyson, Next generation intrusion detection expert system (nides), Tech. Report SRI Technical Report A016, SRI International, March 1993.Google Scholar
  35. 35.
    A. Jones and R. Sielken, Computer system intrusion detection: A survey, Tech. report, Department of Computer Science, University of Virginia, Thornton Hall, Charlottesville, VA, September 2000.Google Scholar
  36. 36.
    C. Ko, Logic induction of valid behavior specifications for intrusion detection, Proceedings of IEEE Symposium on Security and Privacy, 2000, pp. 142–153.Google Scholar
  37. 37.
    Calvin Ko, Paul Brutch, Jeff Rowe, Guy Tsafnat, and Karl Levitt, System health and intrusion monitoring using a hierarchy of constraints, Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, (RAID 2001) (Davis, CA, USA) (W, L. M Lee, and A. Wespi, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2001, pp. 190–203.Google Scholar
  38. 38.
    Calvin Ko, Manfred Ruschitzka, and Karl Levitt, Execution monitoring of security-critical programs in distributed systems: A specification-based approach, Proceedings of IEEE Symposium on Security and Privacy, May 1997, pp. 175–187.Google Scholar
  39. 39.
    Christopher Kruegel and Giovanni Vigna, Anomaly detection of web-based attacks, Proceedings of the 10th ACM conference on Computer and communication security (Washington D.C., USA), ACM Press, October 2003, pp. 251–261.Google Scholar
  40. 40.
    S. Kumar, Classification and detection of computer intrusions, Ph.D. thesis, Purdue University, 1995.Google Scholar
  41. 41.
    S. Kumar and E. Spafford, A pattern matching model for misuse intrusion detection, Proceedings of the 17th National Computer Security Conference, 1994.Google Scholar
  42. 42.
    S. Kumar and E. Spafford, A software architecture to support misuse intrusion detection, Proceedings of the 18th National Information Security Conference, 1995.Google Scholar
  43. 43.
    Sandeep Kumar and Eugene Spafford, An application of pattern matching in intrusion detection, Tech. Report 94–013, Purdue University, Department of Computer Sciences, March 1994.Google Scholar
  44. 44.
    T. Lane, Machine learning techniques for the computer security domain of anomaly detection, Ph.D. thesis, Purdue University, August 2000.Google Scholar
  45. 45.
    L. Lankewicz and M. Benard, Real-Time Anomaly Detection Using a Nonparametric Pattern Recognition Approach, Proceedings of the 7th Annual Computer Security Applications Conference (ACSAC'91), 1991.Google Scholar
  46. 46.
    J. Lee, S. Moskovics, and L. Silacci, A Survey of Intrusion Detection Analysis Methods, 1999.Google Scholar
  47. 47.
    W. Lee, S. J. Stolfo, and K. W. Mok, A data mining framework for building intrusion detection models, Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 120–132.Google Scholar
  48. 48.
    W. Lee and S.J. Stolfo, Data mining approaches for intrusion detection, Proceedings of the 7th USENIX Security Symposium, 1998.Google Scholar
  49. 49.
    W. Lee, S.J. Stolfo, and K.W. Mok, Mining audit data to build intrusion detection models, Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining, AAAI Press, 1998, pp. 66–72.Google Scholar
  50. 50.
    Z. Lei and A.A. Ghorbani, Network intrusion detection using an improved competitive learning neural network, Proceedings of the Second Annual Conference on Communication Networks and Services Research (Fredericton, NB, Canada), 2004.Google Scholar
  51. 51.
    U. Lindqvist and PA Porras, Detecting computer and network misuse through the production-basedexpert system toolset (P-BEST), Proceedings of the IEEE Symposium on Security and Privacy, 1999, pp. 146–161.Google Scholar
  52. 52.
    W. Lu and I. Traore, Unsupervised Anomaly Detection Using an Evolutionary Extension of K-means Algorithm, International Journal on Information and Computer Security, Inderscience Publisher 2 (May, 2008), 107–139.CrossRefGoogle Scholar
  53. 53.
    T. Lunt, R. Jagannathan, R. Lee, S. Listgarten, D. Eclwards, P. Neumann, H. Javitz, and A. Valdes, IDES: The Enhanced Prototype. A Real-Time Intrusion Detection System, Tech. report, Technical Report SRI Project 4 185–010, SRI-CSL-88, 1988.Google Scholar
  54. 54.
    T. F. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, P. G. Neumann H. S. Javitz, A. Valdes, and T. D. Garvey, A real time intrusion detection expert system (ides), Tech. report, SRI International, Menlo Park, CA, February 1992.Google Scholar
  55. 55.
    Teresa F. Lunt, Detecting intruders in computer systems, Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.Google Scholar
  56. 56.
    J. McHugh, Intrusion and intrusion detection, International Journal of Information Security 1 (2001), no. 1, 14–35.MATHGoogle Scholar
  57. 57.
    Ludovic Me, Gassata, a genetic algorithm as an alternative tool for security audit trails analysis, Proceedings of the 1st International Symposium on Recent Advances in Intrusion Detection (RAID'98) (Louvain-la-Neuve, Belgium), September 1998.Google Scholar
  58. 58.
    P. G. Neumann and A. Ph. Porras, Experience with emerald to date, Proceedings of First USENIX Workshop on Intrusion Detection and Network Monitoring (Santa Clara, California), IEEE Computer Society Press, April 1999, pp. 73–80.Google Scholar
  59. 59.
    S. Peddabachigari, A. Abraham, C. Grosan, and J. Thomas, Modeling intrusion detection system using hybrid intelligent systems, Journal of Network and Computer Applications 30 (2007), no. 1, 114–132.CrossRefGoogle Scholar
  60. 60.
    J. Peng, C. Feng, and J. Rozenblit, A hybrid intrusion detection and visualization system, Proceedings of the 13th Annual IEEE International Symposium and Workshop on Engineering of Computer Based Systems (ECBS'06), 2006, pp. 505–506.Google Scholar
  61. 61.
    A. Ph. Porras and P. G. Neumann, Emerald: Event monitoring enabling responses to anomalous live disturbances, Proceedings of the National Information Systems Security Conference, 1997, pp. 353–365.Google Scholar
  62. 62.
    L. Portnoy, E. Eskin, and S.J. Stolfo, Intrusion detection with unlabeled data using clustering, Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA'01), Philadelphia, PA, 2001, pp. 76–105.Google Scholar
  63. 63.
    M. Sabhnani and G. Serpen, Application of machine learning algorithms to KDD intrusion detection dataset within misuse detection context, International Conference on Machine Learning, Models, Technologies and Applications, 2003, pp. 209–215.Google Scholar
  64. 64.
    B. Scholkopf, J.C. Platt, J. Shawe-Taylor, A.J. Smola, and R.C. Williamson, Estimating the support of a high-dimensional distribution, Neural computation 13 (2001), no. 7, 1443–1471.CrossRefGoogle Scholar
  65. 65.
    M. Sebring, E. Shellhouse, M. Hanna, and R. Whitehurst, Expert systems in intrusion detection: A case study, Proceedings of the 11th National Computer Security Conference, 1988, pp. 74–81.Google Scholar
  66. 66.
    R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou, Specification-based anomaly detection: a new approach for detecting network intrusions, Proceedings of the 9th ACM conference on Computer and communication security (CCS'02) (Washington D.C., USA), ACM Press, November 2002, pp. 265–274.CrossRefGoogle Scholar
  67. 67.
    T. Shon and J. Moon, A hybrid machine learning approach to network anomaly detection, Information Sciences 177 (2007), no. 18, 3799–3821.CrossRefGoogle Scholar
  68. 68.
    M.L. Shyu, S.C. Chen, K. Sarinnapakorn, and L.W. Chang, A Novel Anomaly Detection Scheme Based on Principal Component Classifier. Google Scholar
  69. 69.
    V.A. Siris and F. Papagalou, Application of anomaly detection algorithms for detecting SYN flooding attacks, Computer Communications 29 (2006), no. 9, 1433–1442.CrossRefGoogle Scholar
  70. 70.
    S.E. Smaha, Haystack: An intrusion detection system, Aerospace Computer Security Applications Conference, 1988., Fourth, 1988, pp. 37–44.Google Scholar
  71. 71.
    S. Staniford, J. Hoagland, and J. McAlerney, Practical automated detection of stealthy portscans, Journal of Computer Security 10 (2002), no. 1 and 2, 105–126.Google Scholar
  72. 72.
    A. Sundaram, An introduction to intrusion detection, Crossroads 2 (1996), no. 4, 3–7.CrossRefGoogle Scholar
  73. 73.
    HS Teng, K. Chen, and SC Lu, Adaptive real-time anomaly detection using inductively generatedsequential patterns, Proceedings of the Symposium on Research in Security and Privacy (Oakland, CA), 1990, pp. 278–284.Google Scholar
  74. 74.
    J.L. Thames, R. Abler, and A. Saad, Hybrid intelligent systems for network security, Proceedings of the 44th annual Southeast regional conference, ACM New York, NY, USA, 2006, pp. 286–289.Google Scholar
  75. 75.
    Marina Thottan and Chuanyi Ji, Anomaly detection in ip networks, IEEE Transactions on Signal Processing 51 (2003), no. 8, 148–166.CrossRefGoogle Scholar
  76. 76.
    E. Tombini, H. Debar, L. Me, M. Ducasse, F. Telecom, and F. Caen, A serial combination of anomaly and misuse IDSes applied to HTTP traffic, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), 2004, pp. 428–437.Google Scholar
  77. 77.
    Prem Uppuluri and R. Sekar, Experiences with specification-based intrusion detection, Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, (RAID 2001) (Davis, CA, USA) (W, L. M Lee, and A. Wespi, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2001, pp. 172–189.Google Scholar
  78. 78.
    H. S. Vaccaro and G. E. Liepins, Detection of anomalous computer session activity, Proceedings of the Symposium on Research in Security and Privacy (Oakland, CA), May 1989, pp. 280–289.Google Scholar
  79. 79.
    A. Valdes and K. Skinner, Adaptive, model-based monitoring for cyber attack detection, Lecture Notes in Computer Science (2000), 80–92.Google Scholar
  80. 80.
    G. Vigna, S.T. Eckmann, and R.A. Kemmerer, The stat tool suite, Proceedings of DISCEX 2000 (Hilton Head, SC), IEEE Press, January 2000, pp. 46–55.Google Scholar
  81. 81.
    G. Vigna and RA Kemmerer, NetSTAT: A network-based intrusion detection approach, Proceedings of the 14th Annual Computer Security Applications Conference (ACSAC'98), 1998, pp. 25–34.Google Scholar
  82. 82.
    G. Vigna and R.A. Kemmerer, NetSTAT: A network-based intrusion detection system, Journal of Computer Security 7 (1999), no. 1, 37–71.Google Scholar
  83. 83.
    G. Vigna, W. Robertson, V. Kher, and R.A. Kemmerer, A stateful intrusion detection system for world-wide web servers, Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003) (Las Vegas, NV), December 2003, pp. 34–43.Google Scholar
  84. 84.
    G. Vigna, F. Valeur, and R.A. Kemmerer, Designing and implementing a family of intrusion detection systems, Proceedings of the European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2003) (Helsinki, Finland), September 2003.Google Scholar
  85. 85.
    C. Warrender, S. Forrest, and B. Pearlmutter, Detecting intrusions using system calls: alternative data models, Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 133–145.Google Scholar
  86. 86.
    C. Xiang and S.M. Lim, Design of multiple-level hybrid classifier for intrusion detection system, Proceedings of the 2005 IEEE Workshop on Machine Learning for Signal Processing, 2005, pp. 117–122.Google Scholar
  87. 87.
    A.A. Ghorbani Y. Guan and N. Belacel, Y-means : A clustering method for intrusion detection, IEEE Canadian Conference on Electrical and Computer Engineering, Proceedings, 2003.Google Scholar
  88. 88.
    K. Yamanishi, J.I. Takeuchi, G. Williams, and P. Milne, On-line unsupervised outlier detection using finite mixtures with discounting learning algorithms, Data Mining and Knowledge Discovery 8 (2004), no. 3, 275–300.CrossRefMathSciNetGoogle Scholar
  89. 89.
    B. Yu, E. Byres, and C. Howey, Monitoring Controller's” DNA Sequence” For System Security, ISA Emerging Technologies Conference, Instrumentation Systems and Automation Society, 2001.Google Scholar
  90. 90.
    J. Zhang and M. Zulkernine, A hybrid network intrusion detection technique using random forests, The First International Conference on Availability, Reliability and Security (ARES'06), 2006, pp. 262–269.Google Scholar

Copyright information

© Springer-Verlag US 2010

Authors and Affiliations

  1. 1.University of New BrunswickFrederictonCanada

Personalised recommendations