Intrusion Detection Systems: A Survey and Taxonomy

This paper presents a taxonomy of intrusion detection systems that is then used to survey and classify a number of research prototypes. The taxonomy consists of a classification first of the detection principle, and second of certain operational aspects of the intrusion detection system as such. The systems are also grouped according to the increasing difficulty of the problem they attempt to address. These classifications are used predictively, pointing towards a number of areas of future research in the field of intrusion detection.

[1]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[2]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[3]  Alfonso Valdes,et al.  Live Traffic Analysis of TCP/IP Gateways , 1998, NDSS.

[4]  Carla E. Brodley,et al.  Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.

[5]  Steven R. Snapp,et al.  The DIDS (Distributed Intrusion Detection System) Prototype , 1992, USENIX Summer.

[6]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[8]  J. Noelle McAuliffe,et al.  Is your computer being misused? A survey of current intrusion detection system technology , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[9]  Eugene H. Spafford,et al.  An Application of Pattern Matching in Intrusion Detection , 1994 .

[10]  Udo W. Pooch,et al.  Cooperating security managers: Distributed intrusion detection systems , 1996, Comput. Secur..

[11]  Shyhtsun Felix Wu,et al.  Architecture Design of a Scalable Intrusion Detection System for the Emerging Network Infrastructure , 1997 .

[12]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[13]  Erland Jonsson,et al.  An Approach to UNIX Security Logging 1 , 1998 .

[14]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[15]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[16]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[17]  H. Javitz,et al.  Detecting Unusual Program Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System ( NIDES ) 1 , 1997 .

[18]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[19]  K. A. Jackson,et al.  An expert system application for network intrusion detection , 1991 .

[20]  J. F. McClary,et al.  NADIR: An automated system for detecting network intrusion and misuse , 1993, Comput. Secur..

[21]  Sandeep Kumar,et al.  A Software Architecture to Support Misuse Intrusion Detection , 1995 .

[22]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  Ewart R. Carson,et al.  Dealing with Complexity , 1988, Springer US.

[24]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[25]  TERRAN LANE,et al.  Temporal sequence learning and data reduction for anomaly detection , 1999, TSEC.

[26]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[27]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[28]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, S&P 1997.

[29]  Naji Habra,et al.  ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis , 1992, ESORICS.

[30]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[31]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[32]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[33]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[34]  H. Javitz,et al.  IDES : The Enhanced Prototype A Real-Time Intrusion-Detection Expert System , 1988 .

[35]  Wietse Z. Venema,et al.  TCP Wrapper: Network Monitoring, Access Control, and Booby Traps , 1992, USENIX Summer.

[36]  Gunar E. Liepins,et al.  Detection of anomalous computer session activity , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[37]  Ewart R. Carson,et al.  Dealing with complexity: an introduction to the theory & applications of systemsscience , 1988 .

[38]  Josef Pieprzyk,et al.  Intrusion Detection: A Survey , 1996 .

[39]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[40]  Stefan Axelsson,et al.  An Approach to UNIX Security Logging , 1998 .

[41]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[42]  Robert K. Cunningham,et al.  The 1998 DARPA/AFRL Off-line Intrusion Detection Evaluation , 1998 .

[43]  Paul Helman,et al.  Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse , 1993, IEEE Trans. Software Eng..

[44]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[45]  Eugene H. Spafford,et al.  IDIOT - Users Guide , 1996 .

[46]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .