Abstract
Inference methods for detecting attacks on information resources typically use signature analysis or statistical anomaly detection methods. The former have the advantage of attack specificity, but may not be able to generalize. The latter detect attacks probabilistically, allowing for generalization potential. However, they lack attack models and can potentially “learn” to consider an attack normal.
Herein, we present a high-performance, adaptive, model-based technique for attack detection, using Bayes net technology to analyze bursts of traffic. Attack classes are embodied as model hypotheses, which are adaptively reinforced. This approach has the attractive features of both signature based and statistical techniques: model specificity, adaptability, and generalization potential. Our initial prototype sensor examines TCP headers and communicates in IDIP, delivering a complementary inference technique to an IDS sensor suite. The inference technique is itself suitable for sensor correlation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Porras, P. and Neumann, P. “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Distrurbances”, National Information Security Conference, 1997. http://www.sdl.sri.com/emerald/emerald-niss97.html
Valdes, A. and Anderson, D. “Statistical Methods for Computer Usage Anomaly Detection”, Third International Workshop on Rough Sets and Soft Computing, San Jose, CA, 1995.
P. A. Porras and A. Valdes. Live traffic analysis of TCP/IP gateways. In Proceedings of the Symposium on Network and Distributed System Security. Internet Society, March 1998.
Pearl, J. “Probabilistic Reasoning in Intelligent Systems”, Morgan-Kaufman (1988).
Boyen, X. and Koller, D. “Tractable Inference for Complex Stochastic Processes”, Proceedings of the 14th Annual Conference on Uncertainty in Artificial Intelligence (UAI-98), Madison, WI, July 1998. http://robotics.Stanford.EDU/xb/uai98/index.html
Skinner, K. and Valdes, A. “EMERALD™ TCP Statistical Analyzer 1998 Evaluation Results”, http://www.sdl.sri.com/emerald/98-eval-estat/index.html
Lippmann, Richard P, et al. “Evaluating Intrusion Detection Systems: The 1998 DARPA Off-Line Intrusion Detection Evaluation,” Proceedings of DARPA Information Survivability Conference and Exposition, DISCEX’00, Jan 25–27, Hilton Head, SC, 2000, http://www.ll.mit.edu/IST/ideval/index.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Valdes, A., Skinner, K. (2000). Adaptive, Model-Based Monitoring for Cyber Attack Detection. In: Debar, H., Mé, L., Wu, S.F. (eds) Recent Advances in Intrusion Detection. RAID 2000. Lecture Notes in Computer Science, vol 1907. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39945-3_6
Download citation
DOI: https://doi.org/10.1007/3-540-39945-3_6
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41085-0
Online ISBN: 978-3-540-39945-2
eBook Packages: Springer Book Archive