More Web Proxy on the site http://driver.im/

research-article

Network intrusion detection: dead or alive?

Author:

Giovanni VignaAuthors Info & Claims

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 117 - 126

https://doi.org/10.1145/1920261.1920279

Published: 06 December 2010 Publication History

Abstract

Research on network intrusion detection has produced a number of interesting results. In this paper, I look back to the NetSTAT system, which was presented at ACSAC in 1998. In addition to describing the original system, I discuss some historical context, with reference to well-known evaluation efforts and to the evolution of network intrusion detection into a broader field that includes malware detection and the analysis of malicious behavior.

References

[1]

C. Berge. Hypergraphs. North-Holland, 1989.

[2]

S. Eckmann, G. Vigna, and R. Kemmerer. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security, 10(1, 2):71--104, 2002.

Digital Library

[3]

L. Heberlein, G. Dias, K. Levitt, B. Mukherjee, J. Wood, and D. Wolber. A Network Security Monitor. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 296--304, Oakland, CA, May 1990.

[4]

K. Ilgun, R. Kemmerer, and P. Porras. State Transition Analysis: A Rule-Based Intrusion Detection System. IEEE Transactions on Software Engineering, 21(3):181--199, March 1995.

Digital Library

[5]

W. Lee and S. Stolfo. Data Mining Approaches for Intrusion Detection. In Proceedings of the USENIX Security Symposium, San Antonio, TX, January 1998.

Digital Library

[6]

R. Lippmann, D. Fried, I. Graf, J. Haines, K. Kendall, D. McClung, D. Weber, S. Webster, D. Wyschogrod, R. Cunningham, and M. Zissman. Evaluating Intrustion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In Proceedings of the DARPA Information Survivability Conference and Exposition, Volume 2, Hilton Head, SC, January 2000.

[7]

R. Lippmann and J. Haines. Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation. In Proceedings of the Symposium on the Recent Advances in Intrusion Detection (RAID), pages 162--182, Toulouse, France, 2000.

Digital Library

[8]

S. McCanne and V. Jacobson. The BSD Packet Filter: A New Architecture for User-level Packet Capture. In Proceedings of the 1993 Winter USENIX Conference, San Diego, CA, January 1993.

Digital Library

[9]

S. McCanne, C. Leres, and V. Jacobson. Tcpdump 3.7. Documentation, 2002.

[10]

J. McHugh. Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transaction on Information and System Security, 3(4), November 2000.

Digital Library

[11]

V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998.

Digital Library

[12]

P. Porras. STAT -- A State Transition Analysis Tool for Intrusion Detection. Master's thesis, Computer Science Department, University of California, Santa Barbara, June 1992.

[13]

P. Porras and P. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 1997 National Information Systems Security Conference, October 1997.

[14]

M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the USENIX LISA '99 Conference, Seattle, WA, November 1999.

Digital Library

[15]

G. Vigna. A Topological Characterization of TCP/IP Security. In Proceedings of the 12^th International Symposium of Formal Methods Europe (FME '03), number 2805 in LNCS, pages 914--940, Pisa, Italy, September 2003. Springer-Verlag.

[16]

G. Vigna and R. Kemmerer. NetSTAT: A Network-based Intrusion Detection Approach. In Proceedings of the 14^th Annual Computer Security Applications Conference (ACSAC '98), pages 25--34, Scottsdale, AZ, December 1998. IEEE Press.

Digital Library

[17]

G. Vigna, W. Robertson, and D. Balzarotti. Testing Network-based Intrusion Detection Signatures Using Mutant Exploits. In Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS), pages 21--30, Washington, DC, October 2004.

Digital Library

Cited By

Vermeer MKadenko Nvan Eeten MGañán CParkin SMeng WJensen CCremers CKirda E(2023)Alert Alchemy: SOC Workflows and Decisions in the Management of NIDS RulesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616581(2770-2784)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616581
Vermeer Mvan Eeten MGañán CSuga YSakurai KDing XSako K(2022)Ruling the RulesProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517412(799-814)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517412
Yao DShu XCheng LStolfo S(2017)Anomaly Detection as a Service: Challenges, Advances, and OpportunitiesSynthesis Lectures on Information Security, Privacy, and Trust10.2200/S00800ED1V01Y201709SPT0229:3(1-173)Online publication date: 24-Oct-2017
https://doi.org/10.2200/S00800ED1V01Y201709SPT022
Show More Cited By

Index Terms

Network intrusion detection: dead or alive?

Recommendations

Syntax vs. semantics: competing approaches to dynamic network intrusion detection

Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

December 2010

419 pages

ISBN:9781450301336

DOI:10.1145/1920261

Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '10

Sponsor:

ACSA

ACSAC '10: 2010 Annual Computer Security Applications Conference

December 6 - 10, 2010

Texas, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
685
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)1

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Vermeer MKadenko Nvan Eeten MGañán CParkin SMeng WJensen CCremers CKirda E(2023)Alert Alchemy: SOC Workflows and Decisions in the Management of NIDS RulesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616581(2770-2784)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616581
Vermeer Mvan Eeten MGañán CSuga YSakurai KDing XSako K(2022)Ruling the RulesProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517412(799-814)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517412
Yao DShu XCheng LStolfo S(2017)Anomaly Detection as a Service: Challenges, Advances, and OpportunitiesSynthesis Lectures on Information Security, Privacy, and Trust10.2200/S00800ED1V01Y201709SPT0229:3(1-173)Online publication date: 24-Oct-2017
https://doi.org/10.2200/S00800ED1V01Y201709SPT022
Drašar MVizváry MVykopal J(2014)Similarity as a central approach to flow-based anomaly detectionNetworks10.1002/nem.186724:4(318-336)Online publication date: 1-Jul-2014
https://dl.acm.org/doi/10.1002/nem.1867
Alsaleh MOorschot P(2013)Evaluation in the absence of absolute ground truthInternational Journal of Information Security10.1007/s10207-012-0178-112:2(97-110)Online publication date: 1-Apr-2013
https://dl.acm.org/doi/10.1007/s10207-012-0178-1
Hashemi SBabaeizadeh MNowruzi MJazi HShahmoradi MBeigi Samani E(2012)A comprehensive semi-automated incident handling workflow6th International Symposium on Telecommunications (IST)10.1109/ISTEL.2012.6483144(1065-1070)Online publication date: Nov-2012
https://doi.org/10.1109/ISTEL.2012.6483144

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents