More Web Proxy on the site http://driver.im/

research-article

Free access

Service-independent payload analysis to improve intrusion detection in network traffic

Authors:

Ibai Gurrutxaga,

Olatz Arbelaitz,

José I. Martín,

Javier Muguerza,

Jesús Ma PérezAuthors Info & Claims

AusDM '08: Proceedings of the 7th Australasian Data Mining Conference - Volume 87

Pages 171 - 178

Published: 27 November 2008 Publication History

Abstract

The popularity of computer networks broadens the scope for network attackers and increases the damage these attacks can cause. In this context, Intrusion Detection Systems (IDS) are included as part of any complete security package. This work focuses on nIDSs which work by scanning the network traffic. A service-independent payload processing approach is presented to increase detection rates in non-flood attacks. Three different techniques for payload processing are proposed and they are shown to be able to efficiently detect some of the attack types. Moreover, the proper integration of the knowledge of the different techniques, payload-based and packet header-based, always improves the results. This work leads us to conclude that payload analysis can be used in a general manner, with no service- or port-specific modelling, to detect attacks in network traffic.

References

[1]

Lee W., Stolfo S. J., Mok K. (1999): Data mining in work flow environments. Experiences in intrusion detection. Proc. of the Conference on Knowledge Discovery and Data Mining.

Digital Library

[2]

Denning D. E. (1987): An intrusion detection model. IEEE Transactions on Software Engineering 13:222--232.

[3]

Warrender C., Forrest S., Pearlmutter B. (1999): Detecting intrusions using system calls: alternative data models. Proc. IEEE Symposium on Security and Privacy, 133--145.

[4]

Portnoy L., Eskin E., Stolfo S (2001): Intrusion detection with unlabeled data using clustering. Proc. ACM Workshop on Data Mining Applied to Security.

[5]

Noh S., Jung G., Choi K., Lee C. (2008): Compiling network traffic into rules using soft computing methods for the detection of flooding attacks, Applied Soft Computing 8(3):1200--1210.

Digital Library

[6]

Krügel C., Toth T., Kirda E. (2002): Service specific anomaly detection for network intrusion detection. Proc. ACM Symposium on Applied Computing, Madrid, Spain, 201--208, ACM Press.

Digital Library

[7]

Wang K., Stolfo S. (2004): Anomalous payload-based network intrusion detection. Proc. International Symposium on Recent Advances in Intrusion Detection, LNCS, 203--222.

[8]

Lee W. (1999): A data mining framework for constructing features and models for intrusion detection systems. Ph.D. thesis. Columbia University.

Digital Library

[9]

Eskin E., Arnold A., Prerau M., Portnoy L., Stolfo S. (2002): A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. Data Mining for Security Applications.

[10]

Leung K., Leckie C. (2005): Unsupervised anomaly detection in network intrusion detection using clusters. Proc. Australian Computer Science Conference.

Digital Library

[11]

Spath H. (1980): Cluster analysis algorithms. Ellis Horwood, Chichester, UK.

[12]

Gusfield D. (1997): Algorithms on strings, trees, and sequences. Cambridge University Press.

Digital Library

[13]

Li M., Chen X., Li X., Ma B., Vitanyi P. M. B. (2004): The similarity metric. IEEE Transactions on Information Theory 50:3250--3264.

Digital Library

[14]

Wehner S. (2005): Analyzing worms and network traffic using compression. Technical Report. National research institute for mathematics and computer science in the Netherlands.

[15]

KDD99-Cup (1999): The third international knowledge discovery and data mining tools competition dataset http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. Accessed 29 Sep 2008.

[16]

DARPA (1998): MIT Lincoln Laboratory - DARPA Intrusion Detection Evaluation http://www.ll.mit.edu/IST/ideval/index.html. Accessed 29 Sep 2008.

[17]

Jacobson V., Leres C., McCanne S. (1989): Tcpdump. Available via anonymous ftp to ftp.ee.lbl.gov. Accessed 29 Sep 2008.

[18]

Paxson V. (1998). Bro: a system for detecting network intruders in real-time. Computer Networks 31:23--24.

Digital Library

[19]

Fawcett T. (2004): ROC graphs: notes and practical considerations for researchers. Technical Report HPL-2003-4. HP Laboratories, Palo Alto, CA, USA.

Cited By

Elhag SFernández AAltalhi AAlshomrani SHerrera F(2019)A multi-objective evolutionary fuzzy system to obtain a broad and accurate set of solutions in intrusion detection systemsSoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-017-2856-423:4(1321-1336)Online publication date: 16-Mar-2019
https://dl.acm.org/doi/10.1007/s00500-017-2856-4
Al-Riyami SCoenen FLisitsa ALie DMannan MBackes MWang X(2018)A Re-evaluation of Intrusion Detection AccuracyProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3278490(2195-2197)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3278490

Service-independent payload analysis to improve intrusion detection in network traffic
1. Networks
  1. Network services

Recommendations

A hybrid intrusion detection system design for computer network security

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure ...
An Intrusion-Tolerant Mechanism for Intrusion Detection Systems
ARES '08: Proceedings of the 2008 Third International Conference on Availability, Reliability and Security

In accordance with the increasing importance of intrusion detection systems (IDS), users justifiably demand the trustworthiness of the IDS. However, sophisticated attackers attempt to disable the IDS before they launch a thorough attack. Therefore, to ...
Intrusion detection using GSAD model for HTTP traffic on web services
IWCMC '10: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference

Intrusion detection systems are widely used security tools to detect cyber-attacks and malicious activities in computer systems and networks. Hypertext Transport Protocol (HTTP) is used for new applications without much interference. In this paper, we ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image DL Hosted proceedings

AusDM '08: Proceedings of the 7th Australasian Data Mining Conference - Volume 87

November 2008

229 pages

ISBN:9781920682682

Editors:
John F. Roddick
Flinders University, Adelaide, Australia
,
Jiuyong Li
University of South Australia, Adelaide, Australia
,
Peter Christen
The Australian National University, Canberra, Australia
,
Paul J. Kennedy
University of Technology, Sydney, Broadway, Australia

Publisher

Australian Computer Society, Inc.

Australia

Publication History

Published: 27 November 2008

Author Tags

Qualifiers

Research-article

Acceptance Rates

Overall Acceptance Rate 98 of 232 submissions, 42%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
183
Total Downloads

Downloads (Last 12 months)68
Downloads (Last 6 weeks)8

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Elhag SFernández AAltalhi AAlshomrani SHerrera F(2019)A multi-objective evolutionary fuzzy system to obtain a broad and accurate set of solutions in intrusion detection systemsSoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-017-2856-423:4(1321-1336)Online publication date: 16-Mar-2019
https://dl.acm.org/doi/10.1007/s00500-017-2856-4
Al-Riyami SCoenen FLisitsa ALie DMannan MBackes MWang X(2018)A Re-evaluation of Intrusion Detection AccuracyProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3278490(2195-2197)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3278490

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents