Some computer security breaches cannot be prevented using access and information flow control techniques. These breaches may be a consequence of system software bugs, hardware or software failures, incorrect system administration procedures, or failure of the system authentication module. Intrusion detection techniques can have a significant role in the detection of computer abuse in such cases.
This dissertation describes a pattern matching approach to representing and detecting intrusions, a hitherto untried approach in this field. We have classified intrusions on the basis of structural interrelationships among observable system events. The classification formalizes detection of specific exploitations by examining their manifestations in the system event trace. Thus, we can talk about intrusion signatures belonging to particular categories in the classification, instead of vulnerabilities that result in intrusions.
The classification developed in this dissertation can also be used for developing computational models to detect intrusions in each category by exploiting the common structural interrelationships of events comprising the signatures in that category. We can then look at signatures of interest that can be matched efficiently, instead of attempting to devise a comprehensive set of techniques to detect any violation of the security policy. We define and justify a computational model in which intrusions from our classification can be represented and matched. We also present experimental results based on an implementation of the model tested against real-world intrusions.
Cited By
- (2016). Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems, Journal of Information Security and Applications, 30:C, (15-26), Online publication date: 1-Oct-2016.
- Patzina L, Patzina S, Piper T and Manns P Model-Based generation of run-time monitors for AUTOSAR Proceedings of the 9th European conference on Modelling Foundations and Applications, (70-85)
- Elfeshawy N and Faragallah O (2013). Divided two-part adaptive intrusion detection system, Wireless Networks, 19:3, (301-321), Online publication date: 1-Apr-2013.
- Patzina L, Patzina S, Piper T and Schürr A Monitor petri nets for security monitoring Proceedings of the International Workshop on Security and Dependability for Resource Constrained Embedded Systems, (1-6)
- Mehdi S, Tanwani A and Farooq M IMAD Proceedings of the 11th Annual conference on Genetic and evolutionary computation, (1553-1560)
- Dartigue C, Jang H and Zeng W A New Data-Mining Based Approach for Network Intrusion Detection Proceedings of the 2009 Seventh Annual Communication Networks and Services Research Conference, (372-377)
- Zou T, Cui Y, Huang M and Zhang C Improving performance of intrusion detection system by applying a new machine learning strategy Proceedings of the 5th international conference on Soft computing as transdisciplinary science and technology, (51-54)
- Peddabachigari S, Abraham A, Grosan C and Thomas J (2018). Modeling intrusion detection system using hybrid intelligent systems, Journal of Network and Computer Applications, 30:1, (114-132), Online publication date: 1-Jan-2007.
- Derrick E, Tibbs R and Reynolds L Investigating new approaches to data collection, management and analysis for network intrusion detection Proceedings of the 45th annual southeast regional conference, (283-287)
- GADELRAB M, El Kalam A and Deswarte Y Defining categories to select representative attack test-cases Proceedings of the 2007 ACM workshop on Quality of protection, (40-42)
- Yang X, Gao K and Zhang W Study of intrusion detection system based on improved BP neural networks First International Workshop on Artificial Intelligence in Grid Computing, (1-4)
- Anderson G, Selby D and Ramsey M (2007). Insider attack and real-time data mining of user behavior, IBM Journal of Research and Development, 51:3, (465-475), Online publication date: 1-May-2007.
- Helmer G, Wong J, Slagell M, Honavar V, Miller L, Wang Y, Wang X and Stakhanova N (2007). Software fault tree and coloured Petri net based specification, design and implementation of agent-based intrusion detection systems, International Journal of Information and Computer Security, 1:1/2, (109-142), Online publication date: 1-Jan-2007.
- Zou T, Chen H, Zhang C and Huang M A new intrusion detection method based on data-oriented classification of attacks Proceedings of the 7th Conference on 7th WSEAS International Conference on Applied Computer Science - Volume 7, (197-200)
- Gamer T, Scharf M and Schöller M Collaborative anomaly-based attack detection Proceedings of the Second international conference on Self-Organizing Systems, (280-287)
- Kim B, Yoon S and Oh J ATPS Proceedings of the 10th Asia-Pacific conference on Network Operations and Management Symposium: managing next generation networks and services, (344-353)
- Sadoddin R and Ghorbani A Alert correlation survey Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, (1-10)
- Grediaga Á, Ibarra F, García F, Ledesma B and Brotóns F Application of neural networks in network control and information security Proceedings of the Third international conference on Advances in Neural Networks - Volume Part III, (208-213)
- Fovino I and Masera M Through the description of attacks: a multidimensional view Proceedings of the 25th international conference on Computer Safety, Reliability, and Security, (15-28)
- Uppuluri P, Joshi U and Ray A Preventing race condition attacks on file-systems Proceedings of the 2005 ACM symposium on Applied computing, (346-353)
- Zakhalyavko D and Manikopoulos C Detecting denial of service attacks using database queries Proceedings of the 9th WSEAS International Conference on Communications, (1-7)
- Meier M, Schmerl S and Koenig H Improving the efficiency of misuse detection Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, (188-205)
- Picó F, Olivo A, Crespi F and Camara A An electronic reconfigurable neural architecture for intrusion detection Proceedings of the First international work-conference on the Interplay Between Natural and Artificial Computation conference on Artificial Intelligence and Knowledge Engineering Applications: a bioinspired approach - Volume Part II, (376-384)
- Sy B Signature-Based approach for intrusion detection Proceedings of the 4th international conference on Machine Learning and Data Mining in Pattern Recognition, (526-536)
- Kuo M An intelligent agent-based framework for collaborative information security Proceedings of the 18th Australian Joint conference on Advances in Artificial Intelligence, (633-642)
- Machado R, Boukerche A, Sobral J, Juca K and Notare M A Hybrid Artificial Immune and Mobile Agent Intrusion Detection Based Model for Computer Network Operations Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Workshop 6 - Volume 07
- Dawkins J and Hale J A Systematic Approach to Multi-Stage Network Attack Analysis Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04)
- Rao X, Dong C and Yang S Statistic learning and intrusion detection Proceedings of the 9th international conference on Rough sets, fuzzy sets, data mining, and granular computing, (652-659)
- Park K and Ryou H Anomaly detection scheme using data mining in mobile environment Proceedings of the 2003 international conference on Computational science and its applications: PartII, (21-30)
- Ye N, Emran S, Chen Q and Vilbert S (2002). Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection, IEEE Transactions on Computers, 51:7, (810-820), Online publication date: 1-Jul-2002.
- Bala J, Baik S, Hadjarian A, Gogia B and Manthorne C Application of a distributed data mining approach to network intrusion detection Proceedings of the first international joint conference on Autonomous agents and multiagent systems: part 3, (1419-1420)
- Jucá K, Boukerche A and Sobral J Intrusion Detection Based on the Immune Human System Proceedings of the 16th International Parallel and Distributed Processing Symposium
- Roger M and Goubault-Larrecq J Log Auditing through Model-Checking Proceedings of the 14th IEEE workshop on Computer Security Foundations
- Seleznyov A A methodology to detect temporal regularities in user behavior for anomaly detection Proceedings of the 16th international conference on Information security: Trusted information: the new decade challenge, (339-352)
- Ko C, Fraser T, Badger L and Kilpatrick D Detecting and countering system intrusions using software wrappers Proceedings of the 9th conference on USENIX Security Symposium - Volume 9, (11-11)
- Ning P, Wang X and Jajodia S (2000). Modeling requests among cooperating intrusion detection systems, Computer Communications, 23:17, (1702-1715), Online publication date: 1-Nov-2000.
- Sekar R and Uppuluri P Synthesizing fast intrusion prevention/detection systems from high-level specifications Proceedings of the 8th conference on USENIX Security Symposium - Volume 8, (6-6)
- Nelson R Integrating formalism and pragmatism Proceedings of the 1997 workshop on New security paradigms, (1-4)
- Lane T and Brodley C Temporal sequence learning and data reduction for anomaly detection Proceedings of the 5th ACM conference on Computer and communications security, (150-158)
- Lane T and Brodley C Approaches to online learning and concept drift for user identification in computer security Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining, (259-263)
- Mounji A and Charlier B Continuous Assessment of a Unix Configuration Proceedings of the 1997 Symposium on Network and Distributed System Security
- Sundaram A (1996). An introduction to intrusion detection, XRDS: Crossroads, The ACM Magazine for Students, 2:4, (3-7), Online publication date: 1-Apr-1996.
- Crosbie M and Spafford E Evolving event-driven programs Proceedings of the 1st annual conference on genetic programming, (273-278)
Index Terms
- Classification and detection of computer intrusions
Recommendations
Classification of packed executables for accurate computer virus detection
Executable packing is the most common technique used by computer virus writers to obfuscate malicious code and evade detection by anti-virus software. Universal unpackers have been proposed that can detect and extract encrypted code from packed ...
Honeypot detection in advanced botnet attacks
Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Opcode sequences as representation of executables for data-mining-based unknown malware detection
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...