Skip to main content
SpringerLink
Log in

Anomaly Detection Using Behavioral Approaches

  • Conference paper
Software and Data Technologies (ICSOFT 2008)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 47))

Included in the following conference series:

  • 301 Accesses

Abstract

Behavioral approaches, which represent normal/abnormal activities, have been widely used during last years in intrusion detection and computer security. Nevertheless, most works showed that they are ineffective for detecting novel attacks involving new behaviors. In this paper, we first study this recurring problem due on one hand to inadequate handling of anomalous and unusual audit events and on other hand to insufficient decision rules which do not meet behavioral approach objectives. We then propose to enhance the standard decision rules in order to fit behavioral approach requirements and better detect novel attacks. Experimental studies carried out on real and simulated http traffic show that these enhanced decision rules improve detecting most novel attacks without triggering higher false alarm rates.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Axelsson, S.: Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ. (2000)

    Google Scholar 

  2. Barbará, D., Wu, N., Jajodia, S.: Detecting novel network intrusions using bayes estimators. In: Proceedings of the First SIAM Conference on Data Mining (2001)

    Google Scholar 

  3. Ben-Amor, N., Benferhat, S., Elouedi, Z.: Naive bayesian networks in intrusion detection systems. In: ACM, Cavtat-Dubrovnik, Croatia (2003)

    Google Scholar 

  4. Benferhat, S., Tabia, K.: On the combination of naive bayes and decision trees for intrusion detection. In: CIMCA/IAWTIC, pp. 211–216 (2005)

    Google Scholar 

  5. Elkan, C.: Results of the kdd 1999 classifier learning. SIGKDD Explorations 1(2), 63–64 (2000)

    Article  Google Scholar 

  6. Friedman, N., Geiger, D., Goldszmidt, M.: Bayesian network classifiers. Machine Learning 29(2-3), 131–163 (1997)

    Article  MATH  Google Scholar 

  7. Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for http. In: Recent Advances in Intrusion Detection, pp. 42–62 (2007)

    Google Scholar 

  8. Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. In: 19th Annual Computer Security Applications Conference, Las Vegas, Nevada (2003)

    Google Scholar 

  9. Kumar, S., Spafford, E.H.: An application of pattern matching in intrusion detection. Tech. Rep. CSD–TR–94–013, Department of Computer Sciences, Purdue University, West Lafayette (1994)

    Google Scholar 

  10. Lee, W.: A data mining framework for constructing features and models for intrusion detection systems. PhD thesis, New York, NY, USA (1999)

    Google Scholar 

  11. Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 darpa off-line intrusion detection evaluation. Comput. Networks 34(4), 579–595 (2000)

    Article  Google Scholar 

  12. Neumann, P.G., Porras, P.A.: Experience with EMERALD to date, pp. 73–80 (1999)

    Google Scholar 

  13. Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1(1) (1986)

    Google Scholar 

  14. Ross Quinlan, J.: C4.5: programs for machine learning. Morgan Kaufmann Publishers Inc., San Francisco (1993)

    Google Scholar 

  15. Riancho, A.: w3af - web application attack and audit framework (2007)

    Google Scholar 

  16. Sebyala, A.A., Olukemi, T., Sacks, L.: Active platform security through intrusion detection using naive bayesian network for anomaly detection. In: Proceedings of the London Communications Symposium 2002 (2002)

    Google Scholar 

  17. Shyu, M.-L., Sarinnapakorn, K., Kuruppu-Appuhamilage, I., Chen, S.-C., Chang, L., Goldring, T.: Handling nominal features in anomaly intrusion detection problems. In: RIDE, pp. 55–62. IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  18. Snort Snort: The open source network intrusion detection system (2002), http://www.snort.org

  19. Tombini, E., Debar, H., Me, L., Ducasse, M.: A serial combination of anomaly and misuse idses applied to http traffic. In: ACSAC 2004: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), pp. 428–437. IEEE Computer Society, Washington (2004)

    Google Scholar 

  20. Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Recent Advances in Intrusion Detection, pp. 80–92 (2000)

    Google Scholar 

  21. Rissanen, J.: Modelling by the shortest data description. Automatica 14, 465–471 (1978)

    Article  MATH  Google Scholar 

  22. Benferhat, S., Tabia, K.: Classification features for detecting server-side and client-side web attacks. In: SEC 2008: 23rd International Security Conference, Milan, Italy (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CRIL - CNRS UMR8188, Université d’Artois, Rue Jean Souvraz, SP, 18 62307, Lens Cedex, France

    Salem Benferhat & Karim Tabia

Authors
  1. Salem Benferhat
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Karim Tabia
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Control and Communication (INSTICC), Institute for Systems and Technologies of Information,, Rua do Vale de Chaves, Estefanilha, 2910-761, Setúbal, Portugal

    José Cordeiro

  2. Interdisciplinary Institute for Collaboration and Research on Enterprise Systems and Technology – IICREST, P.O. Box 104, 1618, Sofia, Bulgaria

    Boris Shishkov

  3. INSTICC, Avenida D. Manuel I, 2910, Setúbal, Portugal

    AlpeshKumar Ranchordas

  4. School of Computing, Dublin City University, Dublin 9, Ireland

    Markus Helfert

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Benferhat, S., Tabia, K. (2009). Anomaly Detection Using Behavioral Approaches. In: Cordeiro, J., Shishkov, B., Ranchordas, A., Helfert, M. (eds) Software and Data Technologies. ICSOFT 2008. Communications in Computer and Information Science, vol 47. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05201-9_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-05201-9_17

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-05200-2

  • Online ISBN: 978-3-642-05201-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation