论文信息 - A serial combination of anomaly and misuse IDSes applied to HTTP traffic

A serial combination of anomaly and misuse IDSes applied to HTTP traffic

Combining an "anomaly" and a "misuse" IDSes offers the advantage of separating the monitored events between normal, intrusive or unqualified classes (i.e. not known as an attack, but not recognize as safe either). In this article, we provide a framework to systematically reason about the combination of anomaly and misuse components. This framework applied to Web servers lead us to propose a serial architecture, using a drastic anomaly component with a sensitive misuse component. This architecture provides the operator with better qualification of the detection results, raises lower amount of false alarms and unqualified events.

[1] R. Sekar,et al. Experiences with Specification-Based Intrusion Detection , 2001, Recent Advances in Intrusion Detection.

[2] Giovanni Vigna,et al. A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[3] Alfonso Valdes,et al. Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[4] Marc Dacier,et al. A Lightweight Tool for Detecting Web Server Attacks , 2000, NDSS.

[5] Stephanie Forrest,et al. Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[6] Joseph Lee,et al. DIDAFIT: Detecting Intrusions in Databases Through Fingerprinting Transactions , 2002, ICEIS.

[7] Peter G. Neumann,et al. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[8] Dorothy E. Denning,et al. An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[9] Christophe Bidan,et al. An Improved Reference Flow Control Model for Policy-Based Intrusion Detection , 2003, ESORICS.

[10] Sin Yeung Lee,et al. Learning Fingerprints for a Database Intrusion Detection System , 2002, ESORICS.