Skip to main content
SpringerLink
Log in

Aggregation and Thresholding Schemes for Anomaly-Based Approaches

  • Conference paper
e-Business and Telecommunications (ICETE 2008)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 48))

Included in the following conference series:

  • 811 Accesses

Abstract

Anomaly-based approaches often require multiple profiles and models in order to characterize different aspects of normal behaviors. In particular, anomaly scores of audit events are obtained by aggregating several local anomaly scores. Remarkably, most works focus on profile/model definition while critical issues of anomaly measuring, aggregating and thresholding are dealt with ”simplistically”. This paper addresses the issue of anomaly scoring and aggregating which is a recurring problem in anomaly-based approaches. We propose a Bayesian-based scheme for aggregating anomaly scores in a multi-model approach and propose a two-stage thresholding scheme in order to meet real-time detection requirements. The basic idea of our scheme is the fact that anomalous behaviors induce either intra-model anomalies or inter-model anomalies. Our experimental studies, carried out on recent and real http traffic, show for instance that most attacks induce only intra-model anomalies and can be effectively detected in real-time.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Angiulli, F., Basta, S., Pizzuti, C.: Distance-based detection and prediction of outliers. IEEE Trans. on Knowl. and Data Eng. 18(2), 145–160 (2006)

    Article  Google Scholar 

  2. Axelsson, S.: Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ. (2000)

    Google Scholar 

  3. Benferhat, S., Tabia, K.: Classification features for detecting server-side and client-side web attacks. In: 23rd International Security Conference, Italy (2008)

    Google Scholar 

  4. Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)

    Article  Google Scholar 

  5. Ertöz, L., Eilertson, E., Lazarevic, A., Tan, P.-N., Kumar, V., Srivastava, J., Dokas, P.: Minds - minnesota intrusion detection system

    Google Scholar 

  6. Gerhard Münz, S.L., Carle, G.: Traffic anomaly detection using k-means clustering (2007)

    Google Scholar 

  7. Gowadia, V., Farkas, C., Valtorta, M.: Paid: A probabilistic agent-based intrusion detection system. Computers & Security 24(7), 529–545 (2005)

    Article  Google Scholar 

  8. Heckerman, D., Geiger, D., Chickering, D.M.: Learning bayesian networks: The combination of knowledge and statistical data. Machine Learning 20(3), 197–243 (1995)

    MATH  Google Scholar 

  9. Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for HTTP. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 42–62. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  10. Javits, H., Valdes, A.: The NIDES statistical component: Description and justification (1993)

    Google Scholar 

  11. Jensen, F.V.: An Introduction to Bayesian Networks. UCL press, London (1996)

    Google Scholar 

  12. Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. In: Proceedings of the 19th Annual Computer Security Applications Conference, USA, p. 14 (2003)

    Google Scholar 

  13. Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, New York, NY, USA, pp. 251–261 (2003)

    Google Scholar 

  14. Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks, vol. 48, pp. 717–738 (2005)

    Google Scholar 

  15. Krugel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proceedings of the 2002 ACM symposium on Applied computing, USA, pp. 201–208 (2002)

    Google Scholar 

  16. Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of the IEEE Symposium on Security and Privacy, USA (2001)

    Google Scholar 

  17. Neumann, P.G., Porras, P.A.: Experience with EMERALD to date. In: First USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, pp. 73–80 (1999)

    Google Scholar 

  18. Snort. Snort: The open source network intrusion detection system (2002), http://www.snort.org

  19. Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. J. Comput. Secur. 10(1-2), 105–136 (2002)

    Google Scholar 

  20. Tombini, E., Debar, H., Me, L., Ducasse, M.: A serial combination of anomaly and misuse idses applied to http traffic. In: Proceedings of the 20th Annual Computer Security Applications Conference, pp. 428–437 (2004)

    Google Scholar 

  21. Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 80–92. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CRIL, CNRS UMR8188, Université d’Artois, Rue Jean Souvraz SP 18, 62307, Lens Cedex, France

    Salem Benferhat & Karim Tabia

Authors
  1. Salem Benferhat
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Karim Tabia
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Departament of Systems and Informatics, Polytechnic Institute of Setúbal – INSTICC, Rua do Vale de Chaves - Estefanilha, 2910-761, Setúbal, Portugal

    Joaquim Filipe

  2. Department of Computer Science, West Long Branch,, Monmouth University, 07764, NJ, U.S.A.

    Mohammad S. Obaidat

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Benferhat, S., Tabia, K. (2009). Aggregation and Thresholding Schemes for Anomaly-Based Approaches. In: Filipe, J., Obaidat, M.S. (eds) e-Business and Telecommunications. ICETE 2008. Communications in Computer and Information Science, vol 48. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05197-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-05197-5_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-05196-8

  • Online ISBN: 978-3-642-05197-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation