Misuse-based intrusion Detection using Bayesian networks

This paper presents an application of Bayesian networks to the process of intrusion Detection in computer networks. The presented system, called Bayesian system for intrusion Detection (Basset) extends functionality of Snort, an open-source network intrusion Detection system (NIDS), by incorporating Bayesian networks as additional processing stages. The flexible nature of this solution allows it to be used both for misuse-based and Anomaly-Based Detection process; this paper concentrates on the misuse-based Detection. The ultimate goal is to provide better Detection capabilities and less chance of false alerts by creating a platform capable of evaluating Snort alerts in a broader context – other alerts and network traffic in general. An ability to include on-demand information from third party programmes is also an important feature of the presented approach to intrusion Detection.

DepCoS-RELCOMEX – Anomaly-Based Intrusion Detection Using Bayesian Networks

This paper presents an application of Bayesian networks to the process of intrusion Detection in computer networks. The presented system, called Basset (Bayesian system for intrusion Detection) extends functionality of Snort, an open-source NIDS, by incorporating Bayesian networks as additional processing stages. The flexible nature of this solution allows it to be used both for misuse-based and Anomaly-Based Detection process; this paper concentrates on the Anomaly-Based Detection. The ultimate goal is to create a hybrid, misuse anomaly based solution that will allow interaction between these two techniques of intrusion Detection. Ability to alter its behaviour based on historical data is also an important feature of the described system.

DepCoS-RELCOMEX – Misuse-Based Intrusion Detection Using Bayesian Networks

This paper presents an application of Bayesian networks to the process of intrusion Detection in computer networks. The presented system, called Basset (Bayesian system for intrusion Detection) extends functionality of Snort, an open-source NIDS, by incorporating Bayesian networks as additional processing stages. The flexible nature of this solution allows it to be used both for misuse-based and Anomaly-Based Detection process; this paper concentrates on the misuse-based Detection. The ultimate goal is to provide better Detection capabilities and less chance of false alarms by creating a platform capable of evaluating Snort alerts in a broader context – other alerts and network traffic in general. An ability to include on-demand information from third party programs is also an important feature of the presented approach to intrusion Detection.

NDSS – Using Generalization and Characterization Techniques in the Anomaly-Based Detection of Web Attacks.

The custom, ad hoc nature of web applications makes learning-based anomaly Detection systems a suitable approach to provide early warning about the exploitation of novel vulnerabilities. However, Anomaly-Based systems are known for producing a large number of false positives and for providing poor or non-existent information about the type of attack that is associated with

RAID – Swaddler: an approach for the Anomaly-Based Detection of state violations in web applications

In recent years, web applications have become tremendously popular, and nowadays they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has increased, the number and sophistication of attacks against these applications have grown as well. Most approaches to the Detection of web-based attacks analyze the interaction of a web application with its clients and back-end servers. Even though these approaches can effectively detect and block a number of attacks, there are attacks that cannot be detected only by looking at the external behavior of a web application.

In this paper, we present Swaddler, a novel approach to the Anomaly-Based Detection of attacks against web applications. Swaddler analyzes the internal state of a web application and learns the relationships between the application’s critical execution points and the application’s internal state. By doing this, Swaddler is able to identify attacks that attempt to bring an application in an inconsistent, anomalous state, such as violations of the intended workflow of a web application. We developed a prototype of our approach for the PHP language and we evaluated it with respect to several real-world applications.

swaddler an approach for the anomaly based Detection of state violations in web applications

In recent years, web applications have become tremendously popular, and nowadays they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has increased, the number and sophistication of attacks against these applications have grown as well. Most approaches to the Detection of web-based attacks analyze the interaction of a web application with its clients and back-end servers. Even though these approaches can effectively detect and block a number of attacks, there are attacks that cannot be detected only by looking at the external behavior of a web application.

In this paper, we present Swaddler, a novel approach to the Anomaly-Based Detection of attacks against web applications. Swaddler analyzes the internal state of a web application and learns the relationships between the application’s critical execution points and the application’s internal state. By doing this, Swaddler is able to identify attacks that attempt to bring an application in an inconsistent, anomalous state, such as violations of the intended workflow of a web application. We developed a prototype of our approach for the PHP language and we evaluated it with respect to several real-world applications.

Performance Evaluation of Anomaly-Based Detection Mechanisms

Common practice in Anomaly-Based intrusion Detection is that one size fits all: a single anomaly detector should detect all anomalies. Compensation for any performance shortcomings is sometimes effected by resorting to correlation techniques, which could be seen as making use of detector diversity. Such diversity is intuitively based on the assumption that detector coverage is different – perhaps widely different – for different detectors, each covering some disparate portion of the anomaly space. Diversity, then, enhances Detection coverage by combining the coverages of individual detectors across multiple sub-regions of the anomaly space, resulting in an overall Detection coverage that is superior to the coverage of any one detector. No studies have been done, however, in which measured effects of diversity in anomaly detectors have been obtained. This paper explores the effects of using diverse anomalyDetection algorithms (algorithmic diversity) in intrusion Detection. Experimental results indicate that while performance/coverage improvements can in fact be effected by combining diverse Detection algorithms, the gains are surprisingly not the result of combining large, non-overlapping regions of the anomaly space. Rather, the gains are seen at the edges of the space, and are heavily dependent on the parameter values of the detectors, as well as on the characteristics of the anomalies. As a consequence of this study, defenders can be provided with detailed knowledge of diverse detectors, how to combine and parameterize them, and under what conditions, to effect diverse Detection performance that is superior to the performance of a single detector.

Benchmarking Anomaly-Based Detection systems

Anomaly Detection is a key element of intrusion Detection and other Detection systems in which perturbations of normal behavior suggest the presence of intentionally or unintentionally induced attacks, faults, defects, etc. Because most anomaly detectors are based on probabilistic algorithms that exploit the intrinsic structure (or regularity) embedded in data logs, a fundamental question is whether or not such structure influences Detection performance. If detector performance is indeed a function of environmental regularity, it would be critical to match detectors to environmental characteristics. In intrusion-Detection settings, however, this is not done, possibly because such characteristics are not easily ascertained. This paper introduces a metric for characterizing structure in data environments, and tests the hypothesis that intrinsic structure influences probabilistic Detection. In a series of experiments, an anomaly Detection algorithm was applied to a benchmark suite of 165 carefully calibrated, anomaly-injected data sets of varying structure. The results showed performance differences of as much as an order of magnitude, indicating that current approaches to anomaly Detection may not be universally dependable.

DSN – Benchmarking Anomaly-Based Detection systems

Anomaly Detection is a key element of intrusion Detection and other Detection systems in which perturbations of normal behavior suggest the presence of intentionally or unintentionally induced attacks, faults, defects, etc. Because most anomaly detectors are based on probabilistic algorithms that exploit the intrinsic structure (or regularity) embedded in data logs, a fundamental question is whether or not such structure influences Detection performance. If detector performance is indeed a function of environmental regularity, it would be critical to match detectors to environmental characteristics. In intrusion-Detection settings, however, this is not done, possibly because such characteristics are not easily ascertained. This paper introduces a metric for characterizing structure in data environments, and tests the hypothesis that intrinsic structure influences probabilistic Detection. In a series of experiments, an anomaly Detection algorithm was applied to a benchmark suite of 165 carefully calibrated, anomaly-injected data sets of varying structure. The results showed performance differences of as much as an order of magnitude, indicating that current approaches to anomaly Detection may not be universally dependable.