Skip to main content
SpringerLink
Log in

Intrusion Detection: Introduction to Intrusion Detection and Security Information Management

  • Chapter
Foundations of Security Analysis and Design III (FOSAD 2005, FOSAD 2004)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3655))

Abstract

This paper covers intrusion detection and security information management technologies. It presents a primer on intrusion detection, focusing on data sources and analysis techniques. Data sources presented therein are classified according to the capture mechanism and we include an evaluation of the accuracy of these data sources. Analysis techniques are classified into misuse detection, using the explicit body of knowledge about security attacks to generate alerts, and anomaly detection, where the safe or normal operation of the monitored information system is described and alerts generated for anything that does not belong to that model. It then describes security information management and alert correlation technologies that are in use today. We particularly describe statistical modeling of alert flows and explicit correlation between alert information and vulnerability assessment information.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Debar, H., Curry, D., Fenstein, B.: Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition. Internet Draft, work in progress (2005), http://search.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-14.txt

  2. Feinstein, B., Matthews, G., White, J.: The intrusion detection exchange protocol (idxp). Internet Draft (work in progress) (2002) (expires April 22, 2003)

    Google Scholar 

  3. Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proceedings of LISA 1999, Seattle, Washington, USA (1999)

    Google Scholar 

  4. Northcutt, S., Novak, J.: Network Intrusion Detection. In: QUE, 3rd edn. (2003) ISBN 0735712654

    Google Scholar 

  5. Ptacek, T.H., Newsham, T.N.: Insertion, Evasion, and Denial of Service : Eluding Network Intrusion Detection. Secure Networks, Inc (1998)

    Google Scholar 

  6. Zhang, Y., Paxson, V.: Detecting stepping stones. In: Proceedings of the 9th USENIX Security Symposium, Denver, CO (2000)

    Google Scholar 

  7. Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. Computer Communication Review 31 (2001)

    Google Scholar 

  8. Handley, M., Kreibich, C., Paxson, V.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proceedings of the 10th USENIX Security Symposium, Washington, DC (2001)

    Google Scholar 

  9. Fieldings, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (1999)

    Google Scholar 

  10. Denning, D.E., Edwards, D.L., Jagannathan, R., Lunt, T.F., Neumann, P.G.: A prototype IDES — A Real-Time Intrusion Detection Expert System. Technical report. Computer Science Laboratory, SRI International (1987)

    Google Scholar 

  11. Snapp, S.R., Smaha, S.E.: Signature Analysis Model Definition and Formalism. In: Proc. Fourth Workshop on Computer Security Incident Handling, Denver, CO (1992)

    Google Scholar 

  12. Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Communications of the ACM 20, 762–772 (1977)

    Article  Google Scholar 

  13. Thomson, K.: Regular expression search algorithm. Communications of the ACM 11, 419–422 (1968)

    Article  Google Scholar 

  14. Denning, D.E., Neumann, P.G.: Requirements and model for IDES - a real-time intrusion detection expert system. Technical report, Computer Science Laboratory, SRI International, Menlo Park, CA (1985)

    Google Scholar 

  15. Denning, D.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13, 222–232 (1987)

    Article  Google Scholar 

  16. Javitz, H.S., Valdez, A., Lunt, T.F., Tamaru, A., Tyson, M., Lowrance, J.: Next generation intrusion detection expert system (NIDES) - 1. statistical algorithms rationale - 2. rationale for proposed resolver. Technical Report A016–Rationales, SRI International, 333 Ravenswood Avenue, Menlo Park, CA (1993)

    Google Scholar 

  17. Droms, R.: Dynamic host configuration protocol. RFC 2131 (1997)

    Google Scholar 

  18. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2 : A Formal Data Model for IDS Alert Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 115. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  19. Viinikka, J., Debar, H.: Monitoring ids background noise using ewma control charts and alert information. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 166–187. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  20. Egevang, K., Francis, P.: The ip network address translator (nat). RFC 1631 (1994)

    Google Scholar 

  21. Debar, H., Morin, B.: Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 177. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  22. Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  23. Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC) (2001)

    Google Scholar 

  24. Morin, B., Debar, H.: Correlation of Intrusion Symptoms: an Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  25. Roberts, S.W.: Control Chart Tests Based On Geometric Moving Averages. Technometrics 1, 230–250 (1959)

    Article  Google Scholar 

  26. Ye, N., Vilbert, S., Chen, Q.: Computer Intrusion Detection Through EWMA for Autocorrelated and Uncorrelated Data. IEEE Transactions on Reliability 52, 75–82 (2003)

    Article  Google Scholar 

  27. Ye, N., Borror, C., Chang, Y.: EWMA Techniques for Computer Intrusion Detection Through Anomalous Changes In Event Intensity. Quality and Reliability Engineering International 18, 443–451 (2002)

    Article  Google Scholar 

  28. Mahadik, V.A., Wu, X., Reeves, D.S.: Detection of Denial of QoS Attacks Based on χ 2 Statistic and EWMA Control Chart (2002) (submitted for Usenix 2002), Online document, http://arqos.csc.ncsu.edu/papers.htm

Download references

Author information

Authors and Affiliations

  1. France Télécom Division R&D, 42 rue des Coutures, F-14066, Caen Cedex 4

    Hervé Debar & Jouni Viinikka

Authors
  1. Hervé Debar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jouni Viinikka
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Istituto di Scienze e Tecnologie dell’Informazione, Università degli Studi di Urbino “Carlo Bo”, Piazza della Repubblica 13, 61029, Urbino, Italy

    Alessandro Aldini

  2. Dipartimento di Scienze dell’Informazione, Università di Bologna, Mura A. Zamboni, 7, 40127, Bologna, Italy

    Roberto Gorrieri

  3. IIT CNR, Pisa, via Moruzzi, 1, 56125, Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Debar, H., Viinikka, J. (2005). Intrusion Detection: Introduction to Intrusion Detection and Security Information Management. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds) Foundations of Security Analysis and Design III. FOSAD FOSAD 2005 2004. Lecture Notes in Computer Science, vol 3655. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11554578_7

Download citation

  • DOI: https://doi.org/10.1007/11554578_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-28955-5

  • Online ISBN: 978-3-540-31936-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation