Abstract
Anomaly-based approaches often require multiple profiles and models in order to characterize different aspects of normal behaviors. In particular, anomaly scores of audit events are obtained by aggregating several local anomaly scores. Remarkably, most works focus on profile/model definition while critical issues of anomaly measuring, aggregating and thresholding are dealt with ”simplistically”. This paper addresses the issue of anomaly scoring and aggregating which is a recurring problem in anomaly-based approaches. We propose a Bayesian-based scheme for aggregating anomaly scores in a multi-model approach and propose a two-stage thresholding scheme in order to meet real-time detection requirements. The basic idea of our scheme is the fact that anomalous behaviors induce either intra-model anomalies or inter-model anomalies. Our experimental studies, carried out on recent and real http traffic, show for instance that most attacks induce only intra-model anomalies and can be effectively detected in real-time.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Angiulli, F., Basta, S., Pizzuti, C.: Distance-based detection and prediction of outliers. IEEE Trans. on Knowl. and Data Eng. 18(2), 145–160 (2006)
Axelsson, S.: Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ. (2000)
Benferhat, S., Tabia, K.: Classification features for detecting server-side and client-side web attacks. In: 23rd International Security Conference, Italy (2008)
Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)
Ertöz, L., Eilertson, E., Lazarevic, A., Tan, P.-N., Kumar, V., Srivastava, J., Dokas, P.: Minds - minnesota intrusion detection system
Gerhard Münz, S.L., Carle, G.: Traffic anomaly detection using k-means clustering (2007)
Gowadia, V., Farkas, C., Valtorta, M.: Paid: A probabilistic agent-based intrusion detection system. Computers & Security 24(7), 529–545 (2005)
Heckerman, D., Geiger, D., Chickering, D.M.: Learning bayesian networks: The combination of knowledge and statistical data. Machine Learning 20(3), 197–243 (1995)
Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for HTTP. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 42–62. Springer, Heidelberg (2007)
Javits, H., Valdes, A.: The NIDES statistical component: Description and justification (1993)
Jensen, F.V.: An Introduction to Bayesian Networks. UCL press, London (1996)
Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. In: Proceedings of the 19th Annual Computer Security Applications Conference, USA, p. 14 (2003)
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, New York, NY, USA, pp. 251–261 (2003)
Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks, vol. 48, pp. 717–738 (2005)
Krugel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proceedings of the 2002 ACM symposium on Applied computing, USA, pp. 201–208 (2002)
Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of the IEEE Symposium on Security and Privacy, USA (2001)
Neumann, P.G., Porras, P.A.: Experience with EMERALD to date. In: First USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, pp. 73–80 (1999)
Snort. Snort: The open source network intrusion detection system (2002), http://www.snort.org
Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. J. Comput. Secur. 10(1-2), 105–136 (2002)
Tombini, E., Debar, H., Me, L., Ducasse, M.: A serial combination of anomaly and misuse idses applied to http traffic. In: Proceedings of the 20th Annual Computer Security Applications Conference, pp. 428–437 (2004)
Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 80–92. Springer, Heidelberg (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Benferhat, S., Tabia, K. (2009). Aggregation and Thresholding Schemes for Anomaly-Based Approaches. In: Filipe, J., Obaidat, M.S. (eds) e-Business and Telecommunications. ICETE 2008. Communications in Computer and Information Science, vol 48. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05197-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-05197-5_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-05196-8
Online ISBN: 978-3-642-05197-5
eBook Packages: Computer ScienceComputer Science (R0)