Skip to main content

Part of the book series: Advances in Soft Computing ((AINSC,volume 53))

  • 803 Accesses

Abstract

There are many recent studies and proposal in Anomaly Detection Techniques, especially in worm and virus detection. In this field it does matter to answer few important questions like at which ISO/OSI layer data analysis is done and which approach is used. Furthermore these works suffer of scarcity of real data due to lack of network resources or privacy problem: almost every work in this sector uses synthetic (e.g. DARPA) or pre-made set of data. Our study is based on layer seven quantities (number of e-mail sent in a chosen period): we analyzed quantitatively our network e-mail traffic (4 SMTP servers, 10 class C networks) and applied our method on gathered data to detect indirect worm infection (worms which use e-mail to spread infection). The method is a threshold method and, in our dataset, it identified various worm activities. In this document we show our data analysis and results in order to stimulate new approaches and debates in Anomaly Intrusion Detection Techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Axelsson, S.: Intrusion detection systems: A survey and taxonomy,Tech. Rep. 99-15, Chalmers Univ (March 2000)

    Google Scholar 

  2. Verwoerd, T., Hunt, R.: Intrusion detection techniques and approaches. Comput. Commun. 25(15), 1356–1365 (2002)

    Article  Google Scholar 

  3. Ilgun, K., Kemmerer, R.A., Porras, P.A.: State transition analysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering 21(3), 181–199 (1995)

    Article  Google Scholar 

  4. Kumar, S., Spafford, E.H.: A software architecture to support misuse intrusion detection. In: Proceedings of the 18th National Information Security Conference, pp. 194–204 (1995)

    Google Scholar 

  5. Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering (1987)

    Google Scholar 

  6. Estvez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Anomaly detection methods in wired networks: A survey and taxonomy. Comput. Commun. 27(16), 1569–1584 (2004)

    Article  Google Scholar 

  7. Du, Y., Wang, W.-q., Pang, Y.-G.: An intrusion detection method using average hamming distance. In: Proceedings of the Third International Conference on Machine Learning and Cybernetics, Shanghai, 26-29 August (2004)

    Google Scholar 

  8. Anderson, D., Frivold, T., Valdes, A.: Next-generation intrusion detection expert system (NIDES). Computer Science Laboratory (SRI Intemational, Menlo Park, CA): Technical reportSRI-CSL-95-07 (1995)

    Google Scholar 

  9. Wang, Y., Abdel-Wahab, H.: A Multilayer Approach of Anomaly Detection for Email Systems. In: Proceedings of the 11th IEEE Symposium on Computers and Communications (ISCC 2006) (2006)

    Google Scholar 

  10. http://www.internetworldstats.com/stats.htm

  11. http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms

  12. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Magazine of Security and Privacy, 33–39 (July/August 2003)

    Google Scholar 

  13. Leyden, J.: Zombie PCs spew out 80% of spam. The Register (June 2004)

    Google Scholar 

  14. Yasami, Y., Farahmand, M., Zargari, V.: An ARP-based Anomaly Detection Algorithm Using Hidden Markov Model in Enterprise Networks. In: Second International Conference on Systems and Networks Communications (ICSNC 2007) (2007)

    Google Scholar 

  15. Berk, V., Bakos, G., Morris, R.: Designing a Framework for Active Worm Detection on Global Networks. In: Proceedings of the first IEEE International Workshop on Information Assurance (IWIA 2003), Darmstadt, Germany (March 2003)

    Google Scholar 

  16. Bakos, G., Berk, V.: Early detection of internet worm activity by metering icmp destination unreachable messages. In: Proceedings of the SPIE Aerosense 2002 (2002)

    Google Scholar 

  17. Whyte, D., Kranakis, E., van Oorschot, P.C.: DNS-based Detection of Scanning Worms in an Enterprise Network. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium, San Diego, USA, February 3-4 (2005)

    Google Scholar 

  18. Whyte, D., van Oorschot, P.C., Kranakis, E.: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network

    Google Scholar 

  19. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security 6(3), 151–180 (1998)

    Google Scholar 

  20. Cha, B.: Host anomaly detection performance analysis based on system call of Neuro-Fuzzy using Soundex algorithm and N-gram technique. In: Proceedings of the 2005 Systems Communications (ICW 2005) (2005)

    Google Scholar 

  21. http://www.ietf.org/rfc/rfc0821.txt

  22. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

  23. http://www.ll.mit.edu/IST/ideval/data/data_index.html

  24. http://en.wikipedia.org/wiki/Network_address_translation

  25. http://spamassassin.apache.org/

  26. Harris, E.: The Next Step in the Spam Control War: Greylisting

    Google Scholar 

  27. http://en.wikipedia.org/wiki/DNSBL

  28. Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In: CCS 2005, Alexandria, Virginia, USA, November 7–11 (2005)

    Google Scholar 

  29. Portokalidis, G., Bos, H.: SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots

    Google Scholar 

  30. Akritidis, P., Anagnostakis, K., Markatos, E.P.: Efficient Content-Based Detection of Zero-DayWorms

    Google Scholar 

  31. http://www.cnr.it/sitocnr/home.html

  32. http://lma.sourceforge.net/

  33. Behaviour-Based Network Security Goes Mainstream, David Geer, Computer (March 2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Aiello, M., Chiarella, D., Papaleo, G. (2009). Statistical Anomaly Detection on Real e-Mail Traffic. In: Corchado, E., Zunino, R., Gastaldo, P., Herrero, Á. (eds) Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems CISIS’08. Advances in Soft Computing, vol 53. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88181-0_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-88181-0_22

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-88180-3

  • Online ISBN: 978-3-540-88181-0

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics