Skip to main content
SpringerLink
Log in

An attack-norm separation approach for detecting cyber attacks

  • Published:
Information Systems Frontiers Aims and scope Submit manuscript

Abstract

The two existing approaches to detecting cyber attacks on computers and networks, signature recognition and anomaly detection, have shortcomings related to the accuracy and efficiency of detection. This paper describes a new approach to cyber attack (intrusion) detection that aims to overcome these shortcomings through several innovations. We call our approach attack-norm separation. The attack-norm separation approach engages in the scientific discovery of data, features and characteristics for cyber signal (attack data) and noise (normal data). We use attack profiling and analytical discovery techniques to generalize the data, features and characteristics that exist in cyber attack and norm data. We also leverage well-established signal detection models in the physical space (e.g., radar signal detection), and verify them in the cyberspace. With this foundation of information, we build attack-norm separation models that incorporate both attack and norm characteristics. This enables us to take the least amount of relevant data necessary to achieve detection accuracy and efficiency. The attack-norm separation approach considers not only activity data, but also state and performance data along the cause-effect chains of cyber attacks on computers and networks. This enables us to achieve some detection adequacy lacking in existing intrusion detection systems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  • Atlas L, Duhamel P. Recent developments in the core of digital signal processing. IEEE Signal Processing Magazine 1999;16(1):16–31.

    Article  Google Scholar 

  • Bailey TC, Sapatinas T, Powell KJ, Krzanowski WJ. Signal Detection in Underwater Sound Using Wavelets. Journal of the American Statistical Association 1998;93(441):73–83.

    Article  Google Scholar 

  • Botella F, Rosa-Herranz J, Giner JJ, Molina S, Galiana-Merino JJ. A real-time earthquake detector with prefiltering by wavelets. Computers & Geosciences 2003;29(7):911–919.

    Article  Google Scholar 

  • Box G, Luceno A. Statistical Control by Monitoring and Feedback Adjustment. New York: John Wiley & Sons, 1997.

    Google Scholar 

  • Fan W, Miller M, Stolfo S, Lee W, Chan P. Using Artificial Anomalies to Detect Unknown and Known Network Intrusions. In: Proceedings of The First IEEE International Conference on Data Mining. San Jose, CA, 2001.

  • Garvey T, Lunt T. Model-based Intrusion Detection. In 14th National Computer Security Conference (NCSC). Baltimore, Maryland, 1991.

  • Ghosh A, Schwartzbard A, Schatz M. Learning Program Behavior Profiles for Intrusion Detection. In 1st USENIX Workshop on Intrusion Detection and Network Monitoring. Santa Clara, CA,1999.

  • Jain AK, Duin P, Mao J. Statistical Pattern Recognition: Review. IEEE Transactions on Pattern Analysis and Machine Intelligence 2000;22(1):4–37.

    Article  Google Scholar 

  • Johnson RA, Wichern DW. Applied Multivariate Statistical Analysis. Upper Saddle River, New Jersey: Prentice Hall, 1998.

    Google Scholar 

  • Kruegel C, Vigna G. Anomaly Detection of Web-based Attacks. In: Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS ′03). Washington, DC, ACM Press, 2003;251–261.

    Google Scholar 

  • Lakshminarasimhan DK. Wavelet Based Cyber Attack Detection. Master’s Thesis, Arizona State University, November 2005.

  • Lane T, Brodley C. Temporal Sequence Learning and Data Reduction for Anomaly Detection. ACM Transactions on Information and System Security August 1999;2(3):295–331.

    Article  Google Scholar 

  • Lee W, Stolfo S, Chan P, Eskin E, Fan W, Miller M, Hershkop S, Zhang J. Real Time Data Mining-based Intrusion Detection. In: Proceedings of the 2001 DARPA Information Survivability Conference and Exposition (DISCEX II). Anaheim, CA, 2001.

  • Lee W, Stolfo S, Mok K. A Data Mining Framework for Building Intrusion Detection Models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy. Oakland, CA, 1999.

  • Lee W, Stolfo S, Mok K. Adaptive Intrusion Detection: A Data Mining Approach. In: Artificial Intelligence Review. Kluwer Academic Publishers, December 2000;14(6):533–567.

    Article  Google Scholar 

  • Lee W, Stolfo S, Mok K. Mining Audit Data to Build Intrusion Detection Models. In: Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining (KDD ′98). New York, NY, 1998

  • Lee W, Stolfo S. A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security 2000;3(4).

  • Lunt T. Automated Audit Trail Analysis and Intrusion Detection: A survey. In: 14th National Computer Security Conference (NCSC), Baltimore, MD, 1988.

  • Proctor PE. Practical Intrusion Detection HandBook. 3rd edn. Prentice Hall, 2001.

  • Skoudis E. Counter Hack. Upper Saddle River, New Jersey, Prentice Hall PTR, 2002.

    Google Scholar 

  • Vigna G, Robertson W, Kher V, Kemmerer RA. A Stateful Intrusion Detection System for World-Wide Web Servers. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC). Las Vegas, NV, 2003;34–43.

  • Warrander C, Forrest S, Pearlmutter B. Dectecting Intrusions Using System Calls: Alternative Data Models. IEEE Symposium on Security and Privacy. Oakland, CA, 1999.

  • Ye N. QoS-centric stateful resource management in information systems. Information Systems Frontiers 2002;4(2):149–160.

    Article  Google Scholar 

  • Ye N. (ed.). The Handbook of Data Mining. Mahwah, New Jersey: Lawrence Erlbaum Associates, 2003.

    Google Scholar 

  • Ye N. Mining computer and network security data. In: Ye N. eds., The Handbook of Data Mining. Mahwah, New Jersey: Lawrence Erlbaum Associates, 2003;617–636.

    Google Scholar 

  • Ye N, Bashettihalli H, Farley T. “Attack profiles to Derive Data Observations, Features, and Characteristics of Cyber Attacks.” Information, Knowledge, Systems Management 2005–2006;5(1):23–47.

    Google Scholar 

  • Ye N, Chen Q. Computer intrusion detection through EWMA for auto-correlated and uncorrelated data. IEEE Transactions on Reliability 2003;52(1):73–82.

    Google Scholar 

  • Ye N, Chen Q. Computer intrusion detection through EWMA for auto-correlated and uncorrelated data. IEEE Transactions on Reliability 2003;52(1):73–82.

    Google Scholar 

  • Ye N, Jearkpaporn D, Lakshminarasimhan DK. Extraction and detection of signal features and characteristics in the physical space: Towards Signal Detection in the Cyberspace. Proceedings of the IEEE, (in review).

  • Ye N, Li X, Chen Q, Emran SM, Xu M. Probabilistic techniques for intrusion detection based on computer audit data. IEEE Transactions on Systems, Man, and Cybernetics 2001;31(4):266–274.

    Article  Google Scholar 

  • Ye N, Napatkamon A, Farley T. Correlations of activity, state and performance data on computers and networks in attack and normal conditions. IEEE Transactions on Dependable and Secure Computing (in review).

Download references

Author information

Authors and Affiliations

  1. Arizona State University, Tempe, Arizona, USA

    Nong Ye, Toni Farley & Deepak Lakshminarasimhan

Authors
  1. Nong Ye
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Toni Farley
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Deepak Lakshminarasimhan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nong Ye.

Additional information

Nong Ye is a Professor of Industrial Engineering and an Affiliated Professor of Computer Science and Engineering at Arizona State University (ASU) the Director of the Information Systems Assurance Laboratory at ASU. Her research interests lie in security and Quality of Service assurance of information systems and infrastructures. She holds a Ph.D. degree in Industrial Engineering from Purdue University, West Lafayette, and M.S. and B.S. degrees in Computer Science from the Chinese Academy of Sciences and Peking University in China respectively. She is a senior member of IIE and IEEE, and an Associate Editor for IEEE Transactions on Systems, Man, and Cybernetics and IEEE Transactions on Reliability.

Toni Farley is the Assistant Director of the Information and Systems Assurance Laboratory, and a doctoral student of Computer Science at Arizona State University (ASU), Tempe, Arizona. She is studying under a Graduate Fellowship from AT&T Labs-Research. Her research interests include graphs, networks and network security. She holds a B.S. degree in Computer Science and Engineering from ASU. She is a member of IEEE and the IEEE Computer Society. Her email address is toni@asu.edu.

Deepak Lakshminarasimhan is a Research Assistant at the Information and Systems Assurance Laboratory, and a Master of Science student of Electrical engineering at Arizona State University (ASU), Tempe, Arizona. His research interests include network security, digital signal processing and statistical data analysis. He holds a B.S degree in Electronics and Communication Engineering from Bharathidasan University in India.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ye, N., Farley, T. & Lakshminarasimhan, D. An attack-norm separation approach for detecting cyber attacks. Inf Syst Front 8, 163–177 (2006). https://doi.org/10.1007/s10796-006-8731-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10796-006-8731-y

Keywords

Search

Navigation