ON THE DETECTION OF NOVEL ATTACKS USING BEHAVIORAL APPROACHES

Benferhat Salem, Tabia Karim

Abstract

During last years, behavioral approaches, representing normal/abnormal activities, have been widely used in intrusion detection. However, they are ineffective for detecting novel attacks involving new behaviors. This paper first analyzes and explains this recurring problem due on one hand to inadequate handling of anomalous and unusual audit events and on other hand to insufficient decision rules which do not meet behavioral approach objectives. We then propose to enhance the standard classification rules in order to fit behavioral approach requirements and detect novel attacks. Experimental studies carried out on real and simulated htt p traffic show that these enhanced decision rules allow to detect most novel attacks without triggering higher false alarm rates.

References

  1. Axelsson, S. (2000). Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ.
  2. Barbará, D., Wu, N., and Jajodia, S. (2001). Detecting novel network intrusions using bayes estimators. In Proceedings of the First SIAM Conference on Data Mining.
  3. Ben-Amor, N., Benferhat, S., and Elouedi, Z. (2003). Naive bayesian networks in intrusion detection systems. In ACM, Cavtat-Dubrovnik, Croatia.
  4. Benferhat, S. and Tabia, K. (2005). On the combination of naive bayes and decision trees for intrusion detection. In CIMCA/IAWTIC, pages 211-216.
  5. Elkan, C. (2000). Results of the kdd'99 classifier learning. SIGKDD Explorations, 1(2):63-64.
  6. Friedman, N., Geiger, D., and Goldszmidt, M. (1997). Bayesian network classifiers. Machine Learning, 29(2-3):131-163.
  7. Ingham, K. L. and Inoue, H. (2007). Comparing anomaly detection techniques for http. In RAID, pages 42-62.
  8. Kruegel, C., Mutz, D., Robertson, W., and Valeur, F. (2003). Bayesian event classification for intrusion detection.
  9. Kumar, S. and Spafford, E. H. (1994). An application of pattern matching in intrusion detection. Tech. Rep. CSD-TR-94-013, Department of Computer Scien'ces, Purdue University, West Lafayette.
  10. Lee, W. (1999). A data mining framework for constructing features and models for intrusion detection systems. PhD thesis, New York, NY, USA.
  11. Lippmann, R., Haines, J. W., Fried, D. J., Korba, J., and Das, K. (2000). The 1999 darpa off-line intrusion detection evaluation. Comput. Networks, 34(4):579- 595.
  12. Neumann, P. G. and Porras, P. A. (1999). Experience with EMERALD to date. pages 73-80.
  13. Quinlan, J. R. (1986). Induction of decision trees. Mach. Learn., 1(1).
  14. Riancho, A. (2007). w3af - web application attack and audit framework.
  15. Sebyala, A. A., Olukemi, T., and Sacks, L. (2002). Active platform security through intrusion detection using naive bayesian network for anomaly detection. In Proceedings of the London Communications Symposium 2002.
  16. Shyu, M.-L., Sarinnapakorn, K., Kuruppu-Appuhamilage, I., Chen, S.-C., Chang, L., and Goldring, T. (2005). Handling nominal features in anomaly intrusion detection problems. In RIDE, pages 55-62. IEEE Computer Society.
  17. Snort (2002). Snort: The open source network intrusion detection system. http://www.snort.org.
  18. Tombini, E., Debar, H., Me, L., and Ducasse, M. (2004). A serial combination of anomaly and misuse idses applied to http traffic. In ACSAC 7804: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), pages 428-437, Washington, DC, USA. IEEE Computer Society.
  19. Valdes, A. and Skinner, K. (2000). Adaptive, model-based monitoring for cyber attack detection. In Recent Advances in Intrusion Detection, pages 80-92.
Download


Paper Citation


in Harvard Style

Salem B. and Karim T. (2008). ON THE DETECTION OF NOVEL ATTACKS USING BEHAVIORAL APPROACHES . In Proceedings of the Third International Conference on Software and Data Technologies - Volume 1: ICSOFT, ISBN 978-989-8111-51-7, pages 265-272. DOI: 10.5220/0001894302650272


in Bibtex Style

@conference{icsoft08,
author={Benferhat Salem and Tabia Karim},
title={ON THE DETECTION OF NOVEL ATTACKS USING BEHAVIORAL APPROACHES},
booktitle={Proceedings of the Third International Conference on Software and Data Technologies - Volume 1: ICSOFT,},
year={2008},
pages={265-272},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001894302650272},
isbn={978-989-8111-51-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Third International Conference on Software and Data Technologies - Volume 1: ICSOFT,
TI - ON THE DETECTION OF NOVEL ATTACKS USING BEHAVIORAL APPROACHES
SN - 978-989-8111-51-7
AU - Salem B.
AU - Karim T.
PY - 2008
SP - 265
EP - 272
DO - 10.5220/0001894302650272