Abstract
There are many recent studies and proposal in Anomaly Detection Techniques, especially in worm and virus detection. In this field it does matter to answer few important questions like at which ISO/OSI layer data analysis is done and which approach is used. Furthermore these works suffer of scarcity of real data due to lack of network resources or privacy problem: almost every work in this sector uses synthetic (e.g. DARPA) or pre-made set of data. Our study is based on layer seven quantities (number of e-mail sent in a chosen period): we analyzed quantitatively our network e-mail traffic (4 SMTP servers, 10 class C networks) and applied our method on gathered data to detect indirect worm infection (worms which use e-mail to spread infection). The method is a threshold method and, in our dataset, it identified various worm activities. In this document we show our data analysis and results in order to stimulate new approaches and debates in Anomaly Intrusion Detection Techniques.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Axelsson, S.: Intrusion detection systems: A survey and taxonomy,Tech. Rep. 99-15, Chalmers Univ (March 2000)
Verwoerd, T., Hunt, R.: Intrusion detection techniques and approaches. Comput. Commun. 25(15), 1356–1365 (2002)
Ilgun, K., Kemmerer, R.A., Porras, P.A.: State transition analysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering 21(3), 181–199 (1995)
Kumar, S., Spafford, E.H.: A software architecture to support misuse intrusion detection. In: Proceedings of the 18th National Information Security Conference, pp. 194–204 (1995)
Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering (1987)
Estvez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Anomaly detection methods in wired networks: A survey and taxonomy. Comput. Commun. 27(16), 1569–1584 (2004)
Du, Y., Wang, W.-q., Pang, Y.-G.: An intrusion detection method using average hamming distance. In: Proceedings of the Third International Conference on Machine Learning and Cybernetics, Shanghai, 26-29 August (2004)
Anderson, D., Frivold, T., Valdes, A.: Next-generation intrusion detection expert system (NIDES). Computer Science Laboratory (SRI Intemational, Menlo Park, CA): Technical reportSRI-CSL-95-07 (1995)
Wang, Y., Abdel-Wahab, H.: A Multilayer Approach of Anomaly Detection for Email Systems. In: Proceedings of the 11th IEEE Symposium on Computers and Communications (ISCC 2006) (2006)
http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Magazine of Security and Privacy, 33–39 (July/August 2003)
Leyden, J.: Zombie PCs spew out 80% of spam. The Register (June 2004)
Yasami, Y., Farahmand, M., Zargari, V.: An ARP-based Anomaly Detection Algorithm Using Hidden Markov Model in Enterprise Networks. In: Second International Conference on Systems and Networks Communications (ICSNC 2007) (2007)
Berk, V., Bakos, G., Morris, R.: Designing a Framework for Active Worm Detection on Global Networks. In: Proceedings of the first IEEE International Workshop on Information Assurance (IWIA 2003), Darmstadt, Germany (March 2003)
Bakos, G., Berk, V.: Early detection of internet worm activity by metering icmp destination unreachable messages. In: Proceedings of the SPIE Aerosense 2002 (2002)
Whyte, D., Kranakis, E., van Oorschot, P.C.: DNS-based Detection of Scanning Worms in an Enterprise Network. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium, San Diego, USA, February 3-4 (2005)
Whyte, D., van Oorschot, P.C., Kranakis, E.: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security 6(3), 151–180 (1998)
Cha, B.: Host anomaly detection performance analysis based on system call of Neuro-Fuzzy using Soundex algorithm and N-gram technique. In: Proceedings of the 2005 Systems Communications (ICW 2005) (2005)
Harris, E.: The Next Step in the Spam Control War: Greylisting
Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In: CCS 2005, Alexandria, Virginia, USA, November 7–11 (2005)
Portokalidis, G., Bos, H.: SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots
Akritidis, P., Anagnostakis, K., Markatos, E.P.: Efficient Content-Based Detection of Zero-DayWorms
Behaviour-Based Network Security Goes Mainstream, David Geer, Computer (March 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Aiello, M., Chiarella, D., Papaleo, G. (2009). Statistical Anomaly Detection on Real e-Mail Traffic. In: Corchado, E., Zunino, R., Gastaldo, P., Herrero, Á. (eds) Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems CISIS’08. Advances in Soft Computing, vol 53. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88181-0_22
Download citation
DOI: https://doi.org/10.1007/978-3-540-88181-0_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88180-3
Online ISBN: 978-3-540-88181-0
eBook Packages: EngineeringEngineering (R0)