Article

Adaptive, Model-Based Monitoring for Cyber Attack Detection

Authors:

Alfonso Valdes,

Keith SkinnerAuthors Info & Claims

RAID '00: Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection

Pages 80 - 92

Published: 02 October 2000 Publication History

Abstract

Inference methods for detecting attacks on information resources typically use signature analysis or statistical anomaly detection methods. The former have the advantage of attack specificity, but may not be able to generalize. The latter detect attacks probabilistically, allowing for generalization potential. However, they lack attack models and can potentially "learn" to consider an attack normal.

Herein, we present a high-performance, adaptive, model-based technique for attack detection, using Bayes net technology to analyze bursts of traffic. Attack classes are embodied as model hypotheses, which are adaptively reinforced. This approach has the attractive features of both signature based and statistical techniques: model specificity, adaptability, and generalization potential. Our initial prototype sensor examines TCP headers and communicates in IDIP, delivering a complementary inference technique to an IDS sensor suite. The inference technique is itself suitable for sensor correlation.

References

[1]

Porras, P. and Neumann, P. "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Distrurbances", National Information Security Conference, 1997. http://www.sdl.sri.com/emerald/emerald-niss97.html

Google Scholar

[2]

Valdes, A. and Anderson, D. "Statistical Methods for Computer Usage Anomaly Detection", Third International Workshop on Rough Sets and Soft Computing, San Jose, CA, 1995.

Google Scholar

[3]

P. A. Porras and A. Valdes. Live traffic analysis of TCP/IP gateways. In Proceedings of the Symposium on Network and Distributed System Security. Internet Society, March 1998.

Google Scholar

[4]

Pearl, J. "Probabilistic Reasoning in Intelligent Systems", Morgan-Kaufman (1988).

Crossref

Google Scholar

[5]

Boyen, X. and Koller, D. "Tractable Inference for Complex Stochastic Processes", Proceedings of the 14th Annual Conference on Uncertainty in Artificial Intelligence (UAI-98), Madison, WI, July 1998. http://robotics.Stanford.EDU/xb/uai98/index.html

Crossref

Google Scholar

[6]

Skinner, K. and Valdes, A. "EMERALD#8482; TCP Statistical Analyzer 1998 Evaluation Results", http://www.sdl.sri.com/emerald/98-eval-estat/index.html

Google Scholar

[7]

Lippmann, Richard P., et al. "Evaluating Intrusion Detection Systems: The 1998 DARPA Off-Line Intrusion Detection Evaluation," Proceedings of DARPA Information Survivability Conference and Exposition, DISCEX'00, Jan 25-27, Hilton Head, SC, 2000, http://www.ll.mit.edu/IST/ideval/index.html

Google Scholar

Cited By

View all

Alavizadeh HJang-Jaccard JEnoch SAl-Sahaf HWelch ICamtepe SKim D(2022)A Survey on Cyber Situation-awareness Systems: Framework, Techniques, and InsightsACM Computing Surveys10.1145/353080955:5(1-37)Online publication date: 3-Dec-2022
https://dl.acm.org/doi/10.1145/3530809
Mashhadi MHemmati HGrundy JLe Goues CLo D(2020)Hybrid deep neural networks to infer state models of black-box systemsProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416559(299-311)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416559
Mashhadi MHemmati HGuéhéneuc YKhomh FSarro F(2019)An empirical study on practicality of specification mining algorithms on a real-world applicationProceedings of the 27th International Conference on Program Comprehension10.1109/ICPC.2019.00020(65-69)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICPC.2019.00020
Show More Cited By

Recommendations

Developing insider attack detection model: a grounded approach
ISI'09: Proceedings of the 2009 IEEE international conference on Intelligence and security informatics

Insider threats and attacks are a known problem. Within an enterprise it is very difficult to detect and identify insider attacks and abuse against Information Systems. A study was conducted by observing a group of IS security analysts who detect and ...
Model-based adaptive DoS attack mitigation
SEAMS '12: Proceedings of the 7th International Symposium on Software Engineering for Adaptive and Self-Managing Systems

Denial of Service (DoS) attacks overwhelm online services, preventing legitimate users from accessing a service, often with impact on revenue or consumer trust. Approaches exist to filter network-level attacks, but application level attacks are harder ...
Cyber Attack: The Truth about Digital Crime, Cyber Warfare and Government Snooping

Comments

Information & Contributors

Information

Published In

RAID '00: Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection

October 2000

226 pages

ISBN:3540410856

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 02 October 2000

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Alavizadeh HJang-Jaccard JEnoch SAl-Sahaf HWelch ICamtepe SKim D(2022)A Survey on Cyber Situation-awareness Systems: Framework, Techniques, and InsightsACM Computing Surveys10.1145/353080955:5(1-37)Online publication date: 3-Dec-2022
https://dl.acm.org/doi/10.1145/3530809
Mashhadi MHemmati HGrundy JLe Goues CLo D(2020)Hybrid deep neural networks to infer state models of black-box systemsProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416559(299-311)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416559
Mashhadi MHemmati HGuéhéneuc YKhomh FSarro F(2019)An empirical study on practicality of specification mining algorithms on a real-world applicationProceedings of the 27th International Conference on Program Comprehension10.1109/ICPC.2019.00020(65-69)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICPC.2019.00020
Park JChoi DJeon YNam YHong MPark D(2018)Network anomaly detection based on probabilistic analysisSoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-017-2679-322:20(6621-6627)Online publication date: 1-Oct-2018
https://dl.acm.org/doi/10.1007/s00500-017-2679-3
Khasanvis SMingyu Li Rahman MSalehi-Fashami MBiswas AAtulasimha JBandyopadhyay SMoritz C(2015)Self-Similar Magneto-Electric Nanocircuit Technology for Probabilistic Inference EnginesIEEE Transactions on Nanotechnology10.1109/TNANO.2015.243961814:6(980-991)Online publication date: 9-Nov-2015
https://dl.acm.org/doi/10.1109/TNANO.2015.2439618
Panda MAbraham APatra M(2015)Hybrid intelligent systems for detecting network intrusionsSecurity and Communication Networks10.1002/sec.5928:16(2741-2749)Online publication date: 10-Nov-2015
https://dl.acm.org/doi/10.1002/sec.592
Tsigkritis TSpanoudakis G(2013)Assessing the genuineness of events in runtime monitoring of cyber systemsComputers and Security10.1016/j.cose.2013.03.01138(76-96)Online publication date: 1-Oct-2013
https://dl.acm.org/doi/10.1016/j.cose.2013.03.011
Luktarhan NJia XHu LXie N(2012)Multi-stage attack detection algorithm based on hidden markov modelProceedings of the 2012 international conference on Web Information Systems and Mining10.1007/978-3-642-33469-6_37(275-282)Online publication date: 26-Oct-2012
https://dl.acm.org/doi/10.1007/978-3-642-33469-6_37
Juszczyszyn KKolaczek G(2011)Motif-based attack detection in network communication graphsProceedings of the 12th IFIP TC 6/TC 11 international conference on Communications and multimedia security10.5555/2046108.2046139(206-213)Online publication date: 19-Oct-2011
https://dl.acm.org/doi/10.5555/2046108.2046139
Li YLu TGuo LTian ZQi L(2009)Optimizing network anomaly detection scheme using instance selection mechanismProceedings of the 28th IEEE conference on Global telecommunications10.5555/1811380.1811451(425-431)Online publication date: 30-Nov-2009
https://dl.acm.org/doi/10.5555/1811380.1811451
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Recommendations

Developing insider attack detection model: a grounded approach

Model-based adaptive DoS attack mitigation

Cyber Attack: The Truth about Digital Crime, Cyber Warfare and Government Snooping

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations