Abstract
Behavioral approaches, which represent normal/abnormal activities, have been widely used during last years in intrusion detection and computer security. Nevertheless, most works showed that they are ineffective for detecting novel attacks involving new behaviors. In this paper, we first study this recurring problem due on one hand to inadequate handling of anomalous and unusual audit events and on other hand to insufficient decision rules which do not meet behavioral approach objectives. We then propose to enhance the standard decision rules in order to fit behavioral approach requirements and better detect novel attacks. Experimental studies carried out on real and simulated http traffic show that these enhanced decision rules improve detecting most novel attacks without triggering higher false alarm rates.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Axelsson, S.: Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ. (2000)
Barbará, D., Wu, N., Jajodia, S.: Detecting novel network intrusions using bayes estimators. In: Proceedings of the First SIAM Conference on Data Mining (2001)
Ben-Amor, N., Benferhat, S., Elouedi, Z.: Naive bayesian networks in intrusion detection systems. In: ACM, Cavtat-Dubrovnik, Croatia (2003)
Benferhat, S., Tabia, K.: On the combination of naive bayes and decision trees for intrusion detection. In: CIMCA/IAWTIC, pp. 211–216 (2005)
Elkan, C.: Results of the kdd 1999 classifier learning. SIGKDD Explorations 1(2), 63–64 (2000)
Friedman, N., Geiger, D., Goldszmidt, M.: Bayesian network classifiers. Machine Learning 29(2-3), 131–163 (1997)
Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for http. In: Recent Advances in Intrusion Detection, pp. 42–62 (2007)
Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. In: 19th Annual Computer Security Applications Conference, Las Vegas, Nevada (2003)
Kumar, S., Spafford, E.H.: An application of pattern matching in intrusion detection. Tech. Rep. CSD–TR–94–013, Department of Computer Sciences, Purdue University, West Lafayette (1994)
Lee, W.: A data mining framework for constructing features and models for intrusion detection systems. PhD thesis, New York, NY, USA (1999)
Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 darpa off-line intrusion detection evaluation. Comput. Networks 34(4), 579–595 (2000)
Neumann, P.G., Porras, P.A.: Experience with EMERALD to date, pp. 73–80 (1999)
Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1(1) (1986)
Ross Quinlan, J.: C4.5: programs for machine learning. Morgan Kaufmann Publishers Inc., San Francisco (1993)
Riancho, A.: w3af - web application attack and audit framework (2007)
Sebyala, A.A., Olukemi, T., Sacks, L.: Active platform security through intrusion detection using naive bayesian network for anomaly detection. In: Proceedings of the London Communications Symposium 2002 (2002)
Shyu, M.-L., Sarinnapakorn, K., Kuruppu-Appuhamilage, I., Chen, S.-C., Chang, L., Goldring, T.: Handling nominal features in anomaly intrusion detection problems. In: RIDE, pp. 55–62. IEEE Computer Society, Los Alamitos (2005)
Snort Snort: The open source network intrusion detection system (2002), http://www.snort.org
Tombini, E., Debar, H., Me, L., Ducasse, M.: A serial combination of anomaly and misuse idses applied to http traffic. In: ACSAC 2004: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), pp. 428–437. IEEE Computer Society, Washington (2004)
Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Recent Advances in Intrusion Detection, pp. 80–92 (2000)
Rissanen, J.: Modelling by the shortest data description. Automatica 14, 465–471 (1978)
Benferhat, S., Tabia, K.: Classification features for detecting server-side and client-side web attacks. In: SEC 2008: 23rd International Security Conference, Milan, Italy (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Benferhat, S., Tabia, K. (2009). Anomaly Detection Using Behavioral Approaches. In: Cordeiro, J., Shishkov, B., Ranchordas, A., Helfert, M. (eds) Software and Data Technologies. ICSOFT 2008. Communications in Computer and Information Science, vol 47. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05201-9_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-05201-9_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-05200-2
Online ISBN: 978-3-642-05201-9
eBook Packages: Computer ScienceComputer Science (R0)