Anomaly detection methods in wired networks: a survey and taxonomy

Despite the advances reached along the last 20 years, anomaly detection in network behavior is still an immature technology, and the shortage of commercial tools thus corroborates it. Nevertheless, the benefits which could be obtained from a better understanding of the problem itself as well as the improvement of these mechanisms, especially in network security, justify the demand for more research efforts in this direction. This article presents a survey on current anomaly detection methods for network intrusion detection in classical wired environments. After introducing the problem and elucidating its interest, a taxonomy of current solutions is presented. The outlined scheme allows us to systematically classify current detection methods as well as to study the different facets of the problem. The more relevant paradigms are subsequently discussed and illustrated through several case studies of selected systems developed in the field. The problems addressed by each of them as well as their weakest points are thus explained. Finally, this work concludes with an analysis of the problems that still remain open. Based on this discussion, some research lines are identified.

[1]  Paul J Criscuolo,et al.  Distributed Denial of Service: Trin00, Tribe Flood Network, Tribe Flood Network 2000, and Stacheldraht CIAC-2319 , 2000 .

[2]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[3]  Peter G. Neumann,et al.  IDES: A Progress Report , 1990 .

[4]  Vern Paxson,et al.  Empirically derived analytic models of wide-area TCP connections , 1994, TNET.

[5]  Peter G. Neumann,et al.  IDES: a progress report (Intrusion-Detection Expert System) , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[6]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[7]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[8]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[9]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[10]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[11]  Philip K. Chan,et al.  PHAD: packet header anomaly detection for identifying hostile network traffic , 2001 .

[12]  J. F. McClary,et al.  NADIR: An automated system for detecting network intrusion and misuse , 1993, Comput. Secur..

[13]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[14]  George F. Riley,et al.  Intrusion detection testing and benchmarking methodologies , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[15]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[16]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[17]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[18]  B. Ravichandran,et al.  Statistical traffic modeling for network intrusion detection , 2000, Proceedings 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (Cat. No.PR00728).

[19]  Shawn Ostermann,et al.  Detecting network intrusions via a statistical analysis of network packet characteristics , 2001, Proceedings of the 33rd Southeastern Symposium on System Theory (Cat. No.01EX460).

[20]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[21]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[22]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[23]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[24]  kc claffy,et al.  Internet traffic flow profiling , 1994 .

[25]  William C. Fenner,et al.  Known TCP Implementation Problems , 1999, RFC.

[26]  Philip K. Chan,et al.  Detecting novel attacks by identifying anomalous network packet headers , 2001 .

[27]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[28]  Philip K. Chan,et al.  Learning nonstationary models of normal network traffic for detecting novel attacks , 2002, KDD.

[29]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[30]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[31]  Sally Floyd,et al.  Wide-area traffic: the failure of Poisson modeling , 1994 .

[32]  Zheng Zhang,et al.  Architecture of Generalized Network Service Anomaly and Fault Thresholds , 2001, MMNS.

[33]  Steven M. Bellovin,et al.  Packets found on an internet , 1993, CCRV.

[34]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[35]  Christopher Krügel,et al.  Service specific anomaly detection for network intrusion detection , 2002, SAC '02.