Abstract
An algorithm for designing hybrid intrusion detection system based on behavior analysis technique is proposed. This system can be used to generate attack signatures and to detect anomalous behavior. The approach can distinguish the order of attack behavior, and overcome the limitation of the methods based on mismatch or frequencies, which performs statistical analysis against attack behavior with association rules or frequent episode algorithms. The preprocessed data of the algorithm are the connection records extracted from DARPA’s tcpdump data. The algorithm complexity is analyzed against a very known algorithm, and its complexity is decreased greatly. Using the proposed algorithm with transactions of known attacks, we found out that our algorithm describes attacks more accurately, and it can detect those attacks of limited number of transactions. Thus, any important sequence is considered and discovered, even if it’s a single sequence because the extraction will cover all possible sequences combinations within the attack transactions. Four types of attacks are examined to cover all DARPA attack categories.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
The survey is available at http://www.csoonline.com/releases/ecrimewatch04.pdf
Kumar, S., Spafford, E.H.: A Software Architecture to Support Misuse Intrusion Detection. In: Proceedings of the 18th National Information Security Conference, pp. 194–204 (1995)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Logstaff, T.A.: A Sense of Self for Unix process. In: Proceedings of 1996 IEEE Symposium on Computer Security and Privacy, pp. 120–128 (1996)
Ilgun, K., Kemmerer, R.A., Porras, P.A.: State Transition Analysis: A Rule-Based Intrusion Detection System. IEEE Transactions on Software Engineering 21(3), 181–199 (1995)
Javitz, H.S., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: IEEE Symposium on Security and Privacy, Oakland, CA. SRI International (1991)
Axelsson, S.: Research in intrusion-detection systems: A survey. Technical report TR 98-17, Göteborg, Sweden: Department of Computer Engineering, Chalmers University of Technology (1999)
Hofmeyr, S.A., Somayaji, A., Forrest, S.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security 6 (1998)
Fox, K.L., Henning, R.R., Reed, J.H., Simonian, R.P.: A neural network approach towards intrusion detection. In: Proceedings of 13th National Computer Security Conference, NIST, Baltimore, MD, pp. 125–134 (1999)
Barbara, D., Couto, J., Jajodia, S., Wu, N.: ADAM: A testbed for exploring the use of data mining in intrusion detection. ACM SIGMOD Record 30(4) (2001)
Barbara, D., Couto, J., Jajodia, S., Wu, N.: An architecture for anomaly detection. In: Barbara, D., Jajodia, S. (eds.) Applications of Data Mining in Computer Security, pp. 63–76. Kluwer Academic, Boston (2002)
Lee, W., Stolfo, S.: Data Mining Approaches for Intrusion Detection. In: Proc. of the 7th USENIX Secunity Symposium (1998)
Lee, W., Stolfo, S.: A Data Mining Framework for Building Intrusion Detection Models. In: IEEE Symposium on Security and Privacy (1999)
Barbara, D., Couto, J., Wu, N.: ADAM: Detecting Intrusion by Data Mining. In: Proc. of the 2th IEEE Information Assurance Workshop (2001)
Teng, H., Chen, K., Lu, S.: Adaptive Real-Time Anomaly Detection Using Inductively Generated Sequential Patterns. In: Proceedings, IEEE Symposium on Research in Computer Security and Privacy (1990)
Kim, J.S., Lee, H.G., Seo, S., Ryu, K.H.: CTAR: Classification Based on Temporal Class-Association Rules for Intrusion Detection. In: Chae, K.-J., Yung, M. (eds.) WISA 2003. LNCS, vol. 2908, pp. 84–96. Springer, Heidelberg (2004)
Lee, W.: A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems, Ph.D. Thesis, Computer Science Department, Columbia University, New York, NY (June 1999)
DARPA data set, http://www.ll.mit.edu/IST/ideval/data/1998/1998_data_index.html
Agrawal, R., Imielinski, T., Swami, V.: Mining association rules between sets of items in large databases. In: Buneman, P., Jajodia, S. (eds.) Proceedings of the ACM SIGMOD Int. Conf. on Management of Data, Washington, D.C., pp. 207–216 (1993)
Lippmann, R.P.: Evaluating Intrusion Detection Systems: the 1998 DARPA Off-Line Intrusion Detection Evaluation. In: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, vol. 2 (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Alharby, A., Imai, H. (2005). Hybrid Intrusion Detection Model Based on Ordered Sequences. In: Gorodetsky, V., Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2005. Lecture Notes in Computer Science, vol 3685. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11560326_27
Download citation
DOI: https://doi.org/10.1007/11560326_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29113-8
Online ISBN: 978-3-540-31998-6
eBook Packages: Computer ScienceComputer Science (R0)