Intrusion detection systems (IDSs) attempt to identify attacks by comparing collected data to predefined signatures known to be malicious (misuse-based IDSs) or to a model of legal behavior (anomaly-based IDSs). Anomaly-based approaches have the advantage of being able to detect previously unknown attacks, but they suffer from the difficulty of building robust models of acceptable behavior which may result in a large number of false alarms. Almost all current anomaly-based intrusion detection systems classify an input event as normal or anomalous by analyzing its features, utilizing a number of different models. A decision for an input event is made by aggregating the results of all employed models. We have

This paper investigates the subject of intrusion detection over networks. Existing network-based IDS's are categorised into three groups and the overall architecture of each group is summarised and assessed. A new methodology to this problem is then presented, which is inspired by the human immune system and based on a novel artificial immune model. The architecture of the model is presented and its characteristics are compared with the requirements of network-based IDS's. The paper concludes that this new approach shows considerable promise for future network-based IDS's.

Abstract not found

Past active Internet worms have caused widespread damage. Knowing the connection characteristics of such a worm very early in its proliferation cycle might provide first responders an opportunity to intercept a global scale epidemic. We are presenting a scalable framework for detecting, in near-realtime, active Internet worms on global networks, both public and private. By aggregating network error messages resulting from failed attempts at packet delivery, we are able to infer deviant connection behavior of hosts on interconnected networks. The Internet Control Message Protocol (ICMP) provides such error notification. Using a potentially unlimited number of collectors and analyzers, we identify ‘blooms ’ of activity. The connection characteristics of these ‘blooms ’ are then correlated to identify worm-like behavior, and an alert is raised. Promising results have been produced with a simulated Internet worm, demonstrating that new worms can be detected within the first few minutes after release, depending on the level of participating router coverage. 1

Abstract not found

In this paper, we study the defensibility of large scale-free networks against malicious rapidly self-propagating code such as worms and viruses. We develop a framework to investigate the profiles of such code as it infects a large network. Based on these profiles and large-scale network percolation studies, we investigate features of networks that render them more or less defensible against worms. However, we wish to preserve mission-relevant features of the network, such as basic connectivity and resilience to normal nonmalicious outages. We aim to develop methods to help design networks that preserve critical functionality and enable more e#ective defenses.

This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described. We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with an...

This paper presents a negative selection algorithm with niching by an artificial immune system, for network intrusion detection. The paper starts by introducing the advantages of negative selection algorithm as a novel distributed anomaly detection approach for the development of a network intrusion detection system. After discussing the problems of existing approaches using negative selection for network intrusion detection, this paper presents a modified negative selection algorithm with niching, which shows diversity, generality and requires less computation time. The network packet data used in this work is then introduced and a novel genotype encoding scheme to handle this data and a corresponding fitness function is explained. 1 INTRODUCTION The biological immune system has been successful at protecting the human body against a vast variety of foreign pathogens (Tizard, 1995). A growing number of computer scientists have carefully studied the success of this comp...

Network intrusion detection systems have become a standard component in security infrastructures. Unfortunately, current systems are poor at detecting novel attacks without an unacceptable level of false alarms. We propose that the solution to this problem is the application of an ensemble of data mining techniques which can be applied to network connection data in an offline environment, augmenting existing real-time sensors. In this paper, we expand on our motivation, particularly with regard to running in an offline environment, and our interest in multisensor and multimethod correlation. We then review existing systems, from commercial systems, to research based intrusion detection systems. Next we survey the state of the art in the area. Standard datasets and feature extraction turned out to be more important than we had initially anticipated, so each can be found under its own heading. Next, we review the actual data mining methods that have been proposed or implemented. We conclude by summarizing the open problems in this area, along with some questions of a broader scope. We hope that by providing the motivation and summarizing the work in this area that we can stimulate further research.

This paper describes a prototype intelligent intrusion detection system (IIDS) that is being developed to demonstrate the effectiveness of data mining techniques that utilize fuzzy logic. This system combines two distinct intrusion detection approaches: 1) anomaly based intrusion detection using fuzzy data mining techniques, and 2) misuse detection using traditional rule-based expert system techniques. The anomaly-based components look for deviations from stored patterns of normal behavior. The misuse detection components look for previously described patterns of behavior that are likely to indicate an intrusion. Both network traffic and system audit data are used as inputs.