Abstract
Most intrusion detection techniques suffer from either an inability to detect unknown intrusions, or unacceptably high false alarm rates. However, there lacks a general basis to analyze and find solutions to these problems. In this paper, we propose such a theoretical basis for intrusion detection, which makes it possible to systematically express and analyze the detection performance metrics such as the detection rate and false alarm rate in a quantified manner. Most importantly, the insights gained from the basis lead to the proposal for a new intrusion detection technique – USAID. USAID attempts to exploit the advantages of both techniques, and overcome their respective shortcomings. The experimental results show that USAID can achieve uniform level of efficiency to detect both known (99.78%) and new intrusions (98.18%), with a significantly reduced false alarm rate (1.45%). Most significantly, the performance of USAID is superior to all the participants in KDD’99 if the anomalies detected by USAID can be categorized correctly.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Elkan, C.: Results of the kdd 1999 classifer learning contest (1999), http://www.cs.ucsd.edu/users/elkan/clresults.html
Fan, W., Miller, M., Stolfo, S., Lee, W., Chan, P.: Using artificial anomalies to detect unknown and known network intrusions. In: Proceedings of First IEEE International Conference on Data Mining (ICDM 2001), pp. 123–130 (2001)
Fan, W., Stolfo, S.: Ensemble-based adaptive intrusion detection. In: Proceedings of SIAM International Conference on Data Mining 2002 (SDM 2002) (2002)
Hofmeyr, S., Forrest, S.: Architecture for an artificial immune system. Evolutionary Computation 8(4), 443–473 (2000)
Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transaction on Information and System Security 6(4), 443–471 (2003)
Kendall, K.: A database of computer attacks for the evaluation of intrusion detection systems. Master thesis, Massachusetts Institute of Technology (June 1999)
Lee, W., Stolfo, S.: A framework for contructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 3(4), 227–261 (2000)
Li, Z., Das, A.: Visualizing and identifying intrusion context from system calls trace. In: Proceedings of 20th Annual Computer Security Applications Conference. IEEE Computer Society, Los Alamitos (2004)
Mahoney, M., Chan, P.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: SIGKDD 2002, July 23-26 (2002)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of USENIX LISA (1999)
Rubin, S., Jha, S., Miller, B.: Automatic generation and analysis of nids attacks. In: Proceedings of 20th Annual Computer Security Applications Conference, Tucson, AZ, USA. IEEE Computer Society, Los Alamitos (2004)
Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM conference on Computer and communications security, pp. 255–264 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Li, Z., Das, A., Zhou, J. (2005). USAID: Unifying Signature-Based and Anomaly-Based Intrusion Detection. In: Ho, T.B., Cheung, D., Liu, H. (eds) Advances in Knowledge Discovery and Data Mining. PAKDD 2005. Lecture Notes in Computer Science(), vol 3518. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11430919_81
Download citation
DOI: https://doi.org/10.1007/11430919_81
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26076-9
Online ISBN: 978-3-540-31935-1
eBook Packages: Computer ScienceComputer Science (R0)