Author:
Nathalie Dagorn
Affiliation:
Laboratory of Algorithmic, Cryptology and Security (LACS), University of Luxembourg, Luxembourg
Keyword(s):
Intrusion detection, anomaly detection, Web attack, false positive, Bayesian network, alarm clustering.
Related
Ontology
Subjects/Areas/Topics:
Information and Systems Security
;
Intrusion Detection & Prevention
Abstract:
Intrusion detection systems (IDS) are usually classified into two categories: misuse- and anomaly detection systems. Misuse detection is based on signatures; it is precise but can only accommodate already known attacks. Unlike this, anomaly detection models a system’s usual behavior and is able to detect new attacks, but some major challenges remain to be solved in this field, in particular the improvement of the detection process and the reduction of false alarms. On the application/service level, several misuse detection systems exist and work, but only one anomaly detection system is known to be efficient for now. In this short paper, we propose a Web learning-based anomaly detection system based on this system, and resulting from the junction of academic research in several fields, which we improved. The system analyzes HTTP requests as logged by most of the Web servers; it exclusively relates to the queries containing attributes. The analysis process implements a multi-model sta
tistical approach. A Bayesian network is used as decision process, specifying six states (one normal state and five attack states) at the classification node. The system is improved after each log analysis thanks to a technique of alarm clustering, which allows filtering false positive. Compared to traditional anomaly detection systems, the system we present globally gains in sensitivity (each step of the process reduces the number of false positive to be dealt with) and in specificity (if an attack is detected, its type is immediately specified). Moreover, a co-operation feature (alarm correlation) with other systems is proposed for distributed intrusion detection. To date, the system has only been partially implemented but the preliminary experiments in real environment show encouraging results.
(More)