Abstract
In this work, a novel approach for the purpose of anomaly-based network intrusion detection at the application layer is presented. The problem of identifying anomalous payloads is addressed by using a technique based on the modelling of short sequences of adjoining bytes in the requests destined to a given service. Upon this theoretical framework, we propose an algorithm that assigns an anomaly score to each service request on the basis of its similarity with a previously established model of normality. The introduced approach has been evaluated by considering datasets composed of HTTP and DNS traffic. Thus, a large amount of attacks related with such services has been gathered, and detailed experimental results concerning the detection capability of the proposed system are shown. The experiments demonstrate that our approach yields a very high detection rate with a low level of false alarms.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Landwehr, C.E.: Computer Security. International Journal on Information Security 1(1), 3–13 (2001)
Project OASIS: Organically Assured and Survivable Information System, Available online at: http://www.tolerantsystems.org/
Project MAFTIA: Malicious and Accidental Fault Tolerance for Internet Applications, Available online at: http://www.newcastle.research.ec.org/maftia/index.html
McHugh, J.: Intrusion and Intrusion Detection. International Journal on Information Security 1(1), 14–35 (2001)
Kemmerer, R.A., Vigna, G.: Intrusion Detection: A Brief History and Overview. IEEE Computer 35(4), 27–30 (2002)
Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E.: State of the Practice of Intrusion Detection Technologies. Technical Report CMU/SEI- 99-TR-028, Software Engineering Institute, Carnegie Mellon (January 2000)
Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy. Technical Report 99-15, Department of Computer Engineering, Chalmers University of Technology, Goteborg
Krügel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Proceedings of the 17th ACM Symposium on Applied Computing (SAC), Madrid (Spain), pp. 201–208 (2002)
Mahoney, M.V., Chan, P.K.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: Proceedings of the 8th International Conference on Knowledge Discovery and Data Mining, pp. 376–385 (2002)
Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. Florida Institute of Technology Technical Report CS-2003-02 (2003)
Mahoney, M.V.: Network Traffic Anomaly Detection Based on Packet Bytes. In: Proceedings of the 18th ACM Symposium on Applied Computing (SAC), Melbourne, FL (USA), pp. 346–350 (2003)
Estevez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Stochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection. In: Proceedings of the 1st IEEE International Workshop on Information Assurance (IWIA 2003), Darmstadt (Germany), March 2003, pp. 3–12 (2003)
Gusfield, D.: Algorithms on Strings, Trees, and Sequences: Computer Science and Computational Biology. Cambridge University Press, Cambridge (1997) ISBN: 0521585198
Lippmann, R., Haines, J.W., Fried, D.J., Corba, J., Das, K.: The 1999 DARPA Off-line Intrusion Detection Evaluation. Computer Networks 34(4), 579–595 (2000)
McHugh, J.: Testing Intrusion Detection Systems: A Critique to the 1998 and 1999 DARPA Intrusion Detection Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and Systems Security 3(4), 262–294 (2000)
arachNIDS: Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems, Available online at: http://www.whitehats.com/ids
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Estévez-Tapiador, J.M., García-Teodoro, P., Díaz-Verdejo, J.E. (2004). N3: A Geometrical Approach for Network Intrusion Detection at the Application Layer. In: Laganá, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds) Computational Science and Its Applications – ICCSA 2004. ICCSA 2004. Lecture Notes in Computer Science, vol 3043. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24707-4_97
Download citation
DOI: https://doi.org/10.1007/978-3-540-24707-4_97
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22054-1
Online ISBN: 978-3-540-24707-4
eBook Packages: Springer Book Archive