An Architecture for Anomaly Detection

Anomaly detection systems have become popular over the years. Their basic principle is the comparison of the incoming traffic with a previously-built profile that contains a representation of the “normal” or expected traffic. The system flags anything that exceeds the normal activity (usually by means of thresholds) as an attack. Unfortunately, not everything that surpasses the expected activity is indeed an attack. Thus, anomaly detection systems have the proclivity of generating lots of false alarms. In this chapter we present an efficient architecture that can effectively be used to design anomaly detection systems and keep false alarms at a manageable level. We also present an implementation of this architecture that we have realized and experimented with.

[1]  Sushil Jajodia,et al.  Detecting Novel Network Intrusions Using Bayes Estimators , 2001, SDM.

[2]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[3]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[4]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Harry L. Van Trees,et al.  Detection, Estimation, and Modulation Theory: Radar-Sonar Signal Processing and Gaussian Signals in Noise , 1992 .

[6]  Koral Ilgun USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Stephen E. Fienberg,et al.  Discrete Multivariate Analysis: Theory and Practice , 1976 .

[8]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[9]  R. Jagannathan,et al.  A prototype real-time intrusion-detection expert system , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[10]  Vic Barnett,et al.  Outliers in Statistical Data , 1980 .

[11]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).