NEW SCHEMES FOR ANOMALY SCORE AGGREGATION AND THRESHOLDING

Salem Benferhat, Karim Tabia

2008

Abstract

Anomaly-based approaches often require multiple profiles and models in order to characterize different aspects of normal behaviors. In particular, anomaly scores of audit events are obtained by aggregating several local anomaly scores. Remarkably, most works focus on profile/model definition while critical issues of anomaly measuring, aggregating and thresholding are dealt with ”simplistically”. This paper addresses the issue of anomaly scoring and aggregating which is a recurring problem in anomaly-based approaches. We propose a Bayesian-based scheme for aggregating anomaly scores in a multi-model approach and propose a two-stage thresholding scheme in order to meet real-time detection requirements. The basic idea of our scheme is the fact that anomalous behaviors induce either intra-model anomalies or inter-model anomalies. Our experimental studies, carried out on recent and real htt p traffic, show for instance that most attacks induce only intra-model anomalies and can be effectively detected in real-time.

References

  1. Angiulli, F., Basta, S., and Pizzuti, C. (2006). Distancebased detection and prediction of outliers. IEEE Trans. on Knowl. and Data Eng., 18(2):145-160.
  2. Axelsson, S. (2000). Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ.
  3. Benferhat, S. and Tabia, K. (2008). Classification features for detecting server-side and client-side web attacks. In 23rd International Security Conference, Italy.
  4. Denning, D. E. (1987). An intrusion-detection model. IEEE Trans. Softw. Eng., 13(2):222-232.
  5. Gerhard Mnz, S. L. and Carle, G. (2007). Traffic anomaly detection using k-means clustering.
  6. Gowadia, V., Farkas, C., and Valtorta, M. (2005). Paid: A probabilistic agent-based intrusion detection system. Computers & Security, 24(7):529-545.
  7. Heckerman, D., Geiger, D., and Chickering, D. M. (1995). Learning bayesian networks: The combination of knowledge and statistical data. Machine Learning, 20(3):197-243.
  8. Ingham, K. L. and Inoue, H. (2007). Comparing anomaly detection techniques for http. In RAID, pages 42-62.
  9. Javits and Valdes (1993). The NIDES statistical component: Description and justification.
  10. Jensen, F. V. (1996). An Introduction to Bayesian Networks. UCL press.
  11. Kruegel, C., Mutz, D., Robertson, W., and Valeur, F. (2003). Bayesian event classification for intrusion detection. In Proceedings of the 19th Annual Computer Security Applications Conference, page 14, USA.
  12. Kruegel, C. and Vigna, G. (2003). Anomaly detection of web-based attacks. In CCS 7803: Proceedings of the 10th ACM conference on Computer and communications security, pages 251-261, New York, NY, USA.
  13. Kruegel, C., Vigna, G., and Robertson, W. (2005). A multimodel approach to the detection of web-based attacks. volume 48, pages 717-738.
  14. Krugel, C., Toth, T., and Kirda, E. (2002). Service specific anomaly detection for network intrusion detection. In Proceedings of the 2002 ACM symposium on Applied computing, pages 201-208, USA.
  15. Lee, W. and Xiang, D. (2001). Information-theoretic measures for anomaly detection. In Proceedings of the IEEE Symposium on Security and Privacy, USA.
  16. Neumann, P. G. and Porras, P. A. (1999). Experience with EMERALD to date. In First USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73-80, Santa Clara, California.
Download


Paper Citation


in Harvard Style

Benferhat S. and Tabia K. (2008). NEW SCHEMES FOR ANOMALY SCORE AGGREGATION AND THRESHOLDING . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 21-28. DOI: 10.5220/0001927900210028


in Bibtex Style

@conference{secrypt08,
author={Salem Benferhat and Karim Tabia},
title={NEW SCHEMES FOR ANOMALY SCORE AGGREGATION AND THRESHOLDING},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},
year={2008},
pages={21-28},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001927900210028},
isbn={978-989-8111-59-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
TI - NEW SCHEMES FOR ANOMALY SCORE AGGREGATION AND THRESHOLDING
SN - 978-989-8111-59-3
AU - Benferhat S.
AU - Tabia K.
PY - 2008
SP - 21
EP - 28
DO - 10.5220/0001927900210028