Anomaly-based intrusion detection: privacy concerns and other problems

Abstract This paper addresses the specific advantages and disadvantages of anomaly-based intrusion detection. One important disadvantage is its impact on user privacy. A great deal of potentially sensitive information is recorded and analyzed in ways that threaten personal integrity. A solution for this may be to pseudonymize the sensitive information in the log files, i.e., exchange user names, etc., for pseudonyms. This paper shows how this can be done. We have carried out a number of experiments using an anomaly detection tool on pseudonymized data collected from a proxy firewall. The experiments revealed most of the known problems of anomaly detection and also some problems originating from the use of intrusion detection in combination with pseudonymization. This paper focuses on these problems and discusses how they can be remedied or circumvented. Also discussed is the extent to which these problems apply to tools based on misuse detection.

[1]  J. F. McClary,et al.  NADIR: An automated system for detecting network intrusion and misuse , 1993, Comput. Secur..

[2]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[3]  Kai Rannenberg,et al.  Pseudonymous audit for privacy enhanced intrusion detection , 1997, SEC.

[4]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[5]  Gunar E. Liepins,et al.  Detection of anomalous computer session activity , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[6]  R. Jagannathan,et al.  A prototype real-time intrusion-detection expert system , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[7]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[8]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[9]  Paul Helman,et al.  Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse , 1993, IEEE Trans. Software Eng..

[10]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[11]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[12]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[13]  TERRAN LANE,et al.  Temporal sequence learning and data reduction for anomaly detection , 1999, TSEC.