NOVEL AND ANOMALOUS BEHAVIOR DETECTION USING BAYESIAN NETWORK CLASSIFIERS

Salem Salem, Karim Tabia

2008

Abstract

Bayesian networks have been widely used in intrusion detection. However, most works showed that they are ineffective for anomaly detection since novel attacks and new behaviors are not efficiently detected. In this paper, we firstly analyze this problem due to inadequate treatment of novel and unusual behaviors and to insufficient decision rules which do not meet anomaly approach requirements. We accordingly propose to enhance the standard Bayesian classification rule in order to fit anomaly detection objectives and effectively detect novel attacks. We carried out experimental studies on recent and real htt p traffic and showed that Bayesian classifiers using enhanced decision rules allow detecting most novel attacks without triggering significantly higher false alarm rates.

References

  1. Axelsson, S. (2000). Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ.
  2. Barbará, D., Wu, N., and Jajodia, S. (2001). Detecting novel network intrusions using bayes estimators. In Proceedings of the First SIAM Conference on Data Mining.
  3. Ben-Amor, N., Benferhat, S., and Elouedi, Z. (2003). Naive bayesian networks in intrusion detection systems. In ACM, Cavtat-Dubrovnik, Croatia.
  4. Benferhat, S. and Tabia, K. (2005). On the combination of naive bayes and decision trees for intrusion detection. In CIMCA/IAWTIC, pages 211-216.
  5. Benferhat, S. and Tabia, K. (2008a). Classification features for detecting server-side and client-side web attacks. In 23rd International Security Conference, Italy.
  6. Benferhat, S. and Tabia, K. (2008b). Context-based profiling for anomaly intrusion detection with diagnosis. In ARES2008 : Third International Conference on Availability, Reliability and Security, Barcelona, Spain.
  7. Elkan, C. (2000). Results of the kdd'99 classifier learning. SIGKDD Explorations, 1(2):63-64.
  8. Friedman, N., Geiger, D., and Goldszmidt, M. (1997). Bayesian network classifiers. Machine Learning, 29(2-3):131-163.
  9. Ingham, K. L. and Inoue, H. (2007). Comparing anomaly detection techniques for http. In RAID, pages 42-62.
  10. Jensen, F. V. (1996). An Introduction to Bayesian Networks. UCL press, London.
  11. Kruegel, C., Mutz, D., Robertson, W., and Valeur, F. (2003). Bayesian event classification for intrusion detection.
  12. Kumar, S. and Spafford, E. H. (1994). An application of pattern matching in intrusion detection. Tech. Rep. CSD-TR-94-013, Department of Computer Scien'ces, Purdue University, West Lafayette.
  13. Lee, W. (1999). A data mining framework for constructing features and models for intrusion detection systems. PhD thesis, New York, NY, USA.
  14. Lippmann, R., Haines, J. W., Fried, D. J., Korba, J., and Das, K. (2000). The 1999 darpa off-line intrusion detection evaluation. Computer Networks, 34(4).
  15. Neumann, P. G. and Porras, P. A. (1999). Experience with EMERALD to date. pages 73-80.
  16. Quinlan, J. R. (1986). Induction of decision trees. Mach. Learn., 1(1).
  17. Riancho, A. (2007). w3af - web application attack and audit framework.
  18. Sebyala, A. A., Olukemi, T., and Sacks, L. (2002). Active platform security through intrusion detection using naive bayesian network for anomaly detection. In Proceedings of the London Communications Symposium.
Download


Paper Citation


in Harvard Style

Salem S. and Tabia K. (2008). NOVEL AND ANOMALOUS BEHAVIOR DETECTION USING BAYESIAN NETWORK CLASSIFIERS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 13-20. DOI: 10.5220/0001923300130020


in Bibtex Style

@conference{secrypt08,
author={Salem Salem and Karim Tabia},
title={NOVEL AND ANOMALOUS BEHAVIOR DETECTION USING BAYESIAN NETWORK CLASSIFIERS},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},
year={2008},
pages={13-20},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001923300130020},
isbn={978-989-8111-59-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
TI - NOVEL AND ANOMALOUS BEHAVIOR DETECTION USING BAYESIAN NETWORK CLASSIFIERS
SN - 978-989-8111-59-3
AU - Salem S.
AU - Tabia K.
PY - 2008
SP - 13
EP - 20
DO - 10.5220/0001923300130020