Skip to main content
SpringerLink
Log in

A Brief Observation-Centric Analysis on Anomaly-Based Intrusion Detection

  • Conference paper
Information Security Practice and Experience (ISPEC 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3439))

Abstract

This paper is focused on the analysis of the anomaly-based intrusion detectors’ operational capabilities and drawbacks, from the perspective of their operating environments, instead of the schemes per se. Based on the similarity with the induction problem, anomaly detection is cast in a statistical framework for describing their general anticipated behaviors. Several key problems and corresponding potential solutions about the normality characterization for the observable subjects from hosts and networks are addressed respectively, together with the case studies of several representative detection models. Anomaly detectors’ evaluation are also discussed briefly based on some existing achievements. Careful analysis shows that the fundamental understanding of the operating environments is the essential stage in the process of establishing an effective anomaly detection model, which therefore worth insightful exploration, especially when we face the dilemma between the detection performance and the computational cost.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Burgess, M., Haugerud, H., Straumsnes, S.: Measuring System Normality. ACM Transactions on Computer Systems 20(2), 125–160 (2002)

    Article  Google Scholar 

  2. Cormode, G., Datar, M., Lndyk, P., Muthukrishnan, S.: Comparing Data Streams Using Hamming Norms(How to Zero). IEEE Transaction on Knowledge and Data Engineering 15(3), 529–540 (2003)

    Article  Google Scholar 

  3. Forrest, S., Hofmeyr, S.A., Longstaff, T.A.: A sense of self for UNIX processes. In: proceedings of 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos (1996)

    Google Scholar 

  4. Guha, S., Meyerson, A., Mishra, N., Motwani, R., O’Callaghan, L.: Clustering Data Streams: Theory and Practice. IEEE Transaction on Knowledge and Data Engineering 15(3), 515–528 (2003)

    Article  Google Scholar 

  5. Helman, P., Liepins, G.: Statistical Foundataions of Audit Trail Analysis for the Detection of Computer Misuse. IEEE Transaction on Software Engineering 19(9) (September 1993)

    Google Scholar 

  6. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security, 151–180 (1998)

    Google Scholar 

  7. Steiner, S.H.: Grouped Data Exponentially Weighted Moving Average Control Charts, Technical Report, Universtiy of Waterloo (1997)

    Google Scholar 

  8. Hutter, M.: Optimality of universal Bayesian sequence prediction for general loss and alphabet. Journal of Machine Learning Research 4, 971–1000 (2003)

    Article  MathSciNet  Google Scholar 

  9. Lee, W., Xiang, D.: Information-theoretic meaasures for anomaly detection. In: IEEE Symposium on Security and Privacy, Oakland, California, May 14-16, pp. 130–143. IEEE Computer Society Press, Los Alamitos (2001)

    Google Scholar 

  10. Ma, S., Ji, C.: Modeling Heterogeneous Network Traffic in Wavelet Domain. IEEE/ACM Transactions On Networking 9(5), 634–649 (2001)

    Article  Google Scholar 

  11. Maxion, R.A., Tan, K.M.C.: Anomaly Detection in Embedded Systems. IEEE Transaction on Computers 51(2) (February 2002)

    Google Scholar 

  12. Mchugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3(4), 262–294 (2000)

    Article  Google Scholar 

  13. Solomonoff, R.J.: Three Kinds of Probabilistic Induction: Universal Distributions and Convergence Theorems. Machine Learning

    Google Scholar 

  14. Tan, K.M.C., Maxion, R.A.: “Why 6” Defining the Operational Limites of stide, an Anomaly-Based Intrusion Detector. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, S&P 2002 (2002)

    Google Scholar 

  15. Warrender, C., Forrest, S., Pearlumtter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: 1999 IEEE Symposium on Security and Privacy (May 1999)

    Google Scholar 

  16. Ye, N., Li, X., Chen, Q., Emran, S.M., Xu, M.: Probabilistic Techniques for Intrusion Detection Based on Computer Audit Data. IEEE Transaction on Systems, Man, and Cybernetics-Part A:Systems and Humans 31(4) (July 2001)

    Google Scholar 

  17. Yeung, D.-Y., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition 36, 229–243 (2003)

    Article  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Graduate School of Information Science, Japan Advanced Institute of Science and Technology, 1-1 Tatsunokuchi, Ishikwa, 923-1292, Japan

    Zonghua Zhang & Hong Shen

Authors
  1. Zonghua Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hong Shen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Systems, Singapore Management University, Singapore

    Robert H. Deng

  2. Institute for Infocomm Research, 119613, Singapore

    Feng Bao

  3. School of Information Systems, Singapore Management University,  

    HweeHwa Pang

  4. Cryptography and Security Department Institute for Infocomm Research, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zhang, Z., Shen, H. (2005). A Brief Observation-Centric Analysis on Anomaly-Based Intrusion Detection. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2005. Lecture Notes in Computer Science, vol 3439. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31979-5_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-31979-5_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-25584-0

  • Online ISBN: 978-3-540-31979-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation