skip to main content
10.1145/1146847.1146870acmotherconferencesArticle/Chapter ViewAbstractPublication PagesinfoscaleConference Proceedingsconference-collections
Article

An evaluation technique for network intrusion detection systems

Published: 30 May 2006 Publication History

Abstract

Various algorithms have been developed to identify different types of network intrusions, however there is no heuristic to confirm the accuracy of their results. The exact effectiveness of a network intrusion detection system's ability to identify malicious sources cannot be reported unless a concise measurement of performance is available. This paper addresses the need for an evaluation technique and proposes a comparison technique for current scan detection algorithms that can accurately measure the false positive rate and precision of identified scanners.

References

[1]
J. Green, D. Marchette, S. Northcutt and Bill Ralph. Analysis Techniques for Detecting Coordinated Attacks and Probes. In Proceedings of USENIX Workshop on Intrusion Detection and Network Monitoring, pages 12--20, Santa Clara, California, USA, April 1999.
[2]
L. Heberlein, G. Dias, K. Levitt, B. Mukherjee, J. Wood and D. Wolber. A Network Security Monitor. In Proceedings of the IEEE Symposium on Security and Privacy, pages 296--304, Washington DC, USA, 1990.
[3]
J. Jung, V. Paxson, A. Berger and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA, United States, May 2004.
[4]
R. Kompella, S. Singh, and G. Varghese. On Scalable Attack Detection in the Network. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 187--200, Washington DC, USA, 2004.
[5]
C. Leckie and R. Kotagiri. A Probabilistic Approach to Network Scan Detection. In Proceedings of the 8th IEEE Network Operations and Management Symposium (NOMS 2002), pages 369--372, April 2002.
[6]
K. Levchenko, R. Paturi and G. Varghese. On the Difficulty of Scalably Detecting Network Attacks. In Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 12--20, Washington DC, USA, October 2004.
[7]
S. Nortcutt and J. Novak. Network Intrusion Detection: An Analysts's Handbook. Riders Publishing, second edition, 2000.
[8]
V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23-24):2435--2463, 1999.
[9]
S. Robertson, E. Siegel, M. Miller and S. Stolfo. Surveillance Detection in High Bandwidth Environments. In Proceedings of the 2003 DARPA Information Survivability Conference and Exposition, pages 130--139, Washington DC, USA, April 2003.
[10]
M. Roesch. Snort: Lightweight Intrusion Detection for Networks. In Proceedings of the 13th Conference on Systems Administration(LISA-99), pages 229--238, Berkeley, CA, United States, November 1999. USENIX Association.
[11]
J. Sommers, V. Yegneswaran and P. Barford. A Framework for Malicious Workload Generation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 82--87, Sicily, Italy, October 2004.
[12]
S. Staniford, J. Hoagland and J. McAlerney. Practical Automated Detection of Stealthy Portscans. Journal of Computer Security, 10(1--2): 105--136, 2002.
[13]
C. Taylor and J. Alves-Foss. NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach. In Proceedings of the 2001 Workshop on New Security Paradigms, pages 89--96, Cloudcroft, New Mexico, September 2001.
[14]
V. Yegneswaran, P. Barford and J. Ullrich. Internet Intrusions: Global Characteristics and Prevalence. In Proceedings of ACM SIGMETRICS, June 2003.
[15]
D. Zhang. Network Intrusion Detection Techniques for Single Source and Coordinated Scans. Honours thesis, The University Of Melbourne, 2005.

Cited By

View all
  • (2016)Probabilistic models-based intrusion detection using sequence characteristics in control system communicationNeural Computing and Applications10.1007/s00521-015-1984-y27:5(1119-1127)Online publication date: 1-Jul-2016
  • (2015)Network anomaly detection by continuous hidden markov modelsIntelligent Data Analysis10.5555/2768391.276840119:2(391-412)Online publication date: 1-Mar-2015
  • (2012)Intrusion Detection in Control Systems using Sequence CharacteristicsIEEJ Transactions on Electronics, Information and Systems10.1541/ieejeiss.132.14132:1(14-20)Online publication date: 2012
  • Show More Cited By

Recommendations

Reviews

Phoram Mehta

Since the advent of network intrusion detection systems (NIDS), researchers have taken multiple approaches to create them. However, there are no definitive sources that provide a useful comparison of the different algorithms used to detect network intrusions. In this paper, the authors have tried to answer some of these questions and provide a framework for future research that can help determine the best approach for a given environment. The paper claims to propose a comparison technique for current scan-detection algorithms (signature analysis and anomaly detection) for accurately measuring the false-positive rate and precision of identified scanners. The authors briefly describe all three major algorithms [1,2,3] compared, and also mention the attributes?like low false-positives, high processing speeds, and minimum maintenance?that these scan-detection methods desire. The evaluation is focused on calculating the metrics that indicate the effectiveness of the algorithms in detecting scanners from the Auckland II dataset. The false-positive rate, precision, and recall are calculated based on the number of attack sources flagged as host scanners by each detection method. Although the actual number of scanners is unknown, the authors compare the results from each method and present their conclusions based on the relative performance. The comparison is mainly between the probabilistic approach and the sequential hypothesis testing approach, where the results from the signature analysis are used as an aid. Based on the results, the authors conclude that the probabilistic approach is optimal for a system that experiences a small number of network intrusions, with the majority of accesses originating from normal users. The sequential hypothesis testing approach can be seen as more appropriate for a system that wishes to be less conservative in its scan identifications. Although these results are not absolute, the authors have made an important observation upon which more work can be performed. On a side note, commercial vendors have started offering NIDS that integrate all of the above and some additional techniques, like protocol analysis, to produce results that exhibit all of the desired attributes. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
InfoScale '06: Proceedings of the 1st international conference on Scalable information systems
May 2006
512 pages
ISBN:1595934286
DOI:10.1145/1146847
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2006

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Article

Acceptance Rates

InfoScale '06 Paper Acceptance Rate 33 of 91 submissions, 36%;
Overall Acceptance Rate 33 of 91 submissions, 36%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 26 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2016)Probabilistic models-based intrusion detection using sequence characteristics in control system communicationNeural Computing and Applications10.1007/s00521-015-1984-y27:5(1119-1127)Online publication date: 1-Jul-2016
  • (2015)Network anomaly detection by continuous hidden markov modelsIntelligent Data Analysis10.5555/2768391.276840119:2(391-412)Online publication date: 1-Mar-2015
  • (2012)Intrusion Detection in Control Systems using Sequence CharacteristicsIEEJ Transactions on Electronics, Information and Systems10.1541/ieejeiss.132.14132:1(14-20)Online publication date: 2012
  • (2012)Host Based Detection Approach Using Time Based Module for Fast Attack Detection BehaviorRecent Progress in Data Engineering and Internet Technology10.1007/978-3-642-28798-5_23(163-171)Online publication date: 2012
  • (2012)Effective allied network security system based on designed scheme with conditional legitimate probability against distributed network attacks and intrusionsInternational Journal of Communication Systems10.1002/dac.128925:5(672-688)Online publication date: 1-May-2012
  • (2010)Time Based Intrusion Detection on Fast Attack for Network Intrusion Detection SystemProceedings of the 2010 Second International Conference on Network Applications, Protocols and Services10.1109/NETAPPS.2010.33(148-152)Online publication date: 22-Sep-2010
  • (2007)Diagnosing network faults using bayesian and case-based reasoning techniques2007 International Conference on Computer Engineering & Systems10.1109/ICCES.2007.4447040(145-150)Online publication date: Nov-2007

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media