This leads us to conclude that payload analysis based on PST is an efficient manner, with no ..... \url{http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html}.
IADIS International Conference Applied Computing 2009
UNSUPERVISED ANOMALY DETECTION SYSTEM FOR NIDS-S BASED ON PAYLOAD AND PROBABILISTIC SUFFIX TREES Iñigo Perona, Olatz Arbelaitz, Ibai Gurrutxaga, José� I. Martí�n, Javier Muguerza, Jesús M. Pérez Computer Architecture and Technology Dept., University of the Basque Country, Donostia, Spain
ABSTRACT Due to the popularity of computer networks, detection of network attacks is a critical aspect of the security of the companies. As a consequence, any complete security package includes a network Intrusion Detection System (nIDS). This work focuses on nIDSs which work by scanning the network traffic. We combined classifiers based on packet header information with a service-independent payload based approach based on Probabilistic Suffix Trees (PST) to increase detection rates in non-flood attacks. This option is efficient since there is not need of payload processing and besides it outperforms systems based on the ad hoc payload processing proposed in kddcup99, detecting efficiently most of the attack types. This leads us to conclude that payload analysis based on PST is an efficient manner, with no service- or port-specific modeling, to detect attacks in network traffic. KEYWORDS Network intrusion detection, outlier detection, payload, probabilistic suffix trees, clustering.
1. INTRODUCTION Network attacks affect the security of the information stored on computers connected to the network and its stability. Therefore, it is very important to build systems that are able to detect attacks before they cause damage. Any complete security package includes a network Intrusion Detection System (nIDS). The detection of network attacks can be done by human analysis or automatically. The former requires memorization, looking up description libraries or searching sample collections and it is not effective; it is too time consuming and subjective. As a consequence, the security systems require automated and robust nIDSs. Data mining techniques are useful tools to solve this kind of problems and we can find in bibliography many examples of systems based on those techniques mainly trained on labeled data, to detect attacks. The three main approaches for data mining based nIDSs are misuse detection approach (Lee et al. 1999), anomaly detection approach (Warrender et al. 1999) and unsupervised anomaly detection approach (Portnoy et al. 2001). The underlying idea in unsupervised anomaly detection strategies is that most connections will belong to normal traffic and that the connections belonging to attacks will have different characteristics. These ideas make it suitable to be formulated as outlier detection problems. This work focuses on unsupervised anomaly detection for detecting non-flood attacks in nIDSs. The characteristics of the attacks change depending on the kind of attack and as a consequence, the suitability of a tool to detect them will also change. For example flood attacks generate a lot of traffic and most of them can be successfully detected by scanning the TCP/IP headers of network packets. On the contrary, non-flood attacks only need few connections to generate damage and as a consequence, the header’s information is not enough to detect most of them. It is nearly impossible for systems to use traffic models to detect User to Root (U2R) or Remote to Local (R2L) attacks because the intruder only has to send very few packets (often, a single one is enough). U2R and R2L attacks are actually the only ones that allow the intruder to obtain complete control of the attacked system, and as a consequence, they can lead to catastrophic consequences. In this context some authors propose the use of another source of information: the transferred information or payload. The payload can be seen as a sequence of ASCII characters but generally its features vary
11
ISBN: 978-972-8924-97-3 © 2009 IADIS
depending on the kind of network connection and service. As a consequence, most payload based nIDSs we found in bibliography were service-specific and very context dependent (Krügel et al. 2002, Wang and Stolfo 2004 and Lee 1999). However, new attacks and services appear every day and this makes important to be able to build a system that works in any environment independently of the kind of services or machines. In a previous work Perona et al. (2008) proved that information obtained from general payload processing combined with outlier detection techniques is useful to detect non flood attacks. They processed the payloads based on byte frequencies and also with sequence comparison methods and used clustering as outlier detection technique. They compared the results achieved with their system, general payload processing, to the ones achieved with specific or service dependent payload processing. The results showed that general payload processing can be used to build efficient anomaly detection systems for network attack detection. Furthermore, it can be used to complement techniques based on packet header analysis, since the proposed combinations always improved the results. In this work we pretended to obtain a computationally efficient system that avoids payload processing. With this aim we used machine learning algorithms that are adequate for sequences and have shown to be efficient outlier detection techniques such as Probabilistic Suffix Trees (PST) (Ron et al 1996, and, Sun et al. 2006). The paper proceeds describing in Section 2 some related work. In Section 3 we describe the approximation we used in this work for intrusion detection. The paper continues in Section 4 where we describe the data used in the experimentation and we present experimental results in Section 5. Finally, we summarize in Section 6 the conclusions and further work.
2. RELATED WORK We found in bibliography three main data mining based approaches for network intrusion detection: misuse detection, anomaly detection and unsupervised anomaly detection. In the misuse detection approach, used in systems such as MADAM/ID (Lee et al. 1999), the classifier learns from a set of labeled connections, where there is normal traffic and attacks, and in subsequent uses it recognizes known attacks. These methods have two main problems: on the one hand, it is very difficult to obtain completely labeled network traffic and, on the other hand, they can not solve the zero-day problem. As a consequence, the new attacks will always succeed in damaging the system. This means that the systems need to be revised each time a new kind of intrusion appears and this happens every day. Nevertheless, the primary objective should be to detect the first occurrence of intrusions and prevent it from damaging any victim. The anomaly detection approach (Warrender et al. 1999) profiles normal network traffic behavior and successfully detects attacks when the observed traffic deviates from the modeled behavior. Classifiers learn how normal traffic behaves and any anomalous connection is considered to be an attack. As a consequence, if the engineers do not model all the kinds of normal traffic, the systems will have high false positive rates. Moreover, in real environments it is not usual to have purely normal data and these approaches need it in order to model just normal traffic. If any attack is left in the hypothetical purely normal data, this attack will be learned as normal traffic and the IDS will never produce an alert related to it. Due to the problems the previous approaches have, many researchers started working on a third one: unsupervised anomaly detection (Portnoy et al. 2001). It does not need purely normal data and it uses unlabeled data, which is easy to obtain. This option works under the assumption that the volume of normal traffic is much greater than the traffic containing attacks, and, furthermore, the intrusions' behavior is different from normal data's' behavior. Under these assumptions the intrusion detection problem can be confronted using outlier detection techniques. Obviously these methods are inadequate for detecting flood attacks because they usually need to send a large number of packets in a short time and as a consequence they will naturally form large groups that will not be detected as anomalies. Nevertheless, flood attacks are easy to detect and some authors achieve high detection rates using systems that scan network traffic or analyze headers (Noh et al. 2008). Although it is long since the first anomaly detection approaches appeared, it is still a successful approach being used in many systems. An example of the use of this methodology is the number of papers mentioning it in the conference in Recent Advances in Intrusion Detection, RAID, in 2008. Ashfaq et al. (2008) for
12
IADIS International Conference Applied Computing 2009
example presented a comparative evaluation of 8 lately developed anomaly detectors under portscan attacks from the accuracy, scalability, complexity and detection delay point of view. The authors built two independently collected datasets for the evaluation, both of them including packet header information since all the evaluated systems are based on this information. On the other hand, Dagorn (2008) presented an anomaly-based intrusion detection system for web applications and Rehak eta al. (2008) presented a way to improve error rate in anomaly detection by collective trust modeling. However, most of these works use only packet header information; they do not use the transferred information or payload. The transferred information usually depends on the kind of service, and, as a consequence the payload of different network connections can be very different. This is probably why, there are few works where the payload is used to model network traffic and detect the possible intruders. We find the first example of payload processing in the content variables of Kddcup99 (Lee 1999). In this case, the author obtained some information from the payload based on the experts' experience. The processing was totally static and manually drawn; it had no learning capability at all. This kind of processing is very context dependent and it can only be done for some well known services and protocols. For these systems, to be adapted to new situations, the experts would need to manually analyze the network data and adapt their knowledge to new attacks. Similar to this one, Krügel et al. (2002) presented a work that focuses on R2L attacks and uses servicespecific knowledge about payload to increase the detection rate of intrusions. They implemented a prototype that can process HTTP and DNS traffic although they only presented results for DNS. Wang and Stolfo (2004) also proposed a host- and port-specific system conditioned by the payload length. They based their work on profiling byte frequency distribution and computed the standard deviation of the application-level payload flowing to a single host and port during a training phase. They used the Mahalanobis distance during the detection phase and if the distance exceeded a certain threshold the system generated an alarm. In a different context, Waizumi et al. (2007) also processed the payload as byte histograms for early worm detection. But they did a different work since, instead of concentrating on the reduction of false positives, and as a consequence the AUC in a network, they proposed a payload processing methodology to detect worms in different networks; they only experimented with a worm, Beagle_AV. In a previous work in nIDSs Perona et al. (2008) tried some different techniques for general payload processing. All the options were able to efficiently detect some of the attack types. That work showed that general payload analysis can be effective but the best results were always achieved including NCD sequence comparison method (Li et al. 2004) for payload processing which was computationally costly. The present work tries a more efficient methodology for payload processing: PST (Ron et al 1996 and Sun et al. 2006).
3. COMBINED UNSUPERVISED ANOMALY DETECTION SYSTEM Unsupervised anomaly detection strategies can be formulated as outlier detection problems (Hodge and Austin 2004); they usually build probabilistic models of the data using the complete sample that will help them to decide whether or not the connections are attacks. Network data can be divided in two main parts: the connections’ headers information and the transferred information or payload. Since the information of the TCP/IP headers is well-known it can be processed to obtain a tabular representation with intrinsic (I) and traffic (T) variables. On the contrary, payload processing can be difficult because its format in a packet depends on the application and used protocol. Payload data can generally be seen as a sequence of bytes, so it could either be processed to obtain a tabular representation with some kind of information or it could be used with a method that is adequate for sequences. In this proposal, we worked with both kinds of information and we used two different techniques for unsupervised anomaly detection, one for packet header information and the other one for the payload. In the case of the packet header information, based on the experience of other authors (Eskin et al 2002 and Leung and Leckie 2005), we applied Fixed-Width clustering algorithm, also known as the Leader algorithm (Spath 1980). The Fixed-Width scales linearly to the number of examples of the database and the number of clusters but it does not accurately fit to databases with clusters of different sizes; it over partitions the largest clusters. Nevertheless, in the unsupervised anomaly detection context we are interested just in the small clusters, so this drawback of the algorithm is not a real problem. We used it combined with Euclidean
13
ISBN: 978-972-8924-97-3 © 2009 IADIS
distance over the points in the feature space, the connections, and we assigned a score to each cluster and its examples based on its size. We labeled the points with lower scores as anomalous. As we mentioned, the format of the payload is application and protocol dependent. Moreover, many protocols have fields where any kind of data can be stored. Some authors solved this problem by performing the data processing in a specific way for each service (Krügel et al. 2002, Wang and Stolfo 2004 and Lee et al. 1999). This option has many drawbacks: it works for a reduced set of connections, the used protocol is not always known and new services can not be automatically treated. To overcome these problems, the selected payload processing method needs to have some characteristics such as: 1. Not requiring human intervention. That is, to be automatic. 2. To be service-independent, and, as a consequence, usable in different environments and adaptable to changing situations. That is, to be general. 3. To be computationally efficient. It is not easy to build a system with all the required skills; it seems, on the one hand, that more complex or computationally expensive systems would better model the payload. Nevertheless, in a previous work Perona et al. (2008) already processed payload regardless of the kind of service or port, based on byte frequencies and sequence comparison techniques, and obtained satisfactory results. In the system proposed in this paper we directly worked with the byte sequences corresponding to the payload. This way, the need of processing disappeared and we used Probabilistic Suffix Trees (PST) as used in (Sun et al. 2006) for outlier detection. We built a PST based on the payloads of the whole sample. This is a cheap process because as Sun et al. (2006) stated, the first levels of the PST are enough to detect the outliers. Based on their experience we only developed the trees to a maximum of 5 layers. Then, we tested all the payloads against the built model, and calculated the length normalized similarity measure (SIMN) between the suffix tree we trained and the payloads one by one. The obtained value measures the deviation of the evaluated sequence from the built model so we could use it to determine the level of outlierness of the corresponding connection; we used it as score. As described during this section the output of both processes, the one based on packet header information and the one based on payload, was a set of scores we used to determine the outliernes level of a connection. As a consequence, each of the processes could be used to determine whether the connection corresponds to an attack (an outlier) or not on its own. Based on previous experience we combined the results obtained with intrinsic and traffic variables (IT), with the results obtained processing payload (IT+PST). The combination was made by averaging scores. Figure 1 shows a schema of the process.
Figure 1. Schema of the proposed nIDS.
14
IADIS International Conference Applied Computing 2009
4. DATA GENERATION The evaluation and comparison of results of intrusion detection systems is difficult because it is not easy to obtain labeled data or a database with purely normal data for network traffic. Unsupervised anomaly detection techniques do not require labeled data to work, but they need it so that the system can be evaluated. We wanted to generate comparable results and we decided to use some standard data such as Kddcup99 from the UCI repository (KDD99-Cup 1999). Kddcup99 was built from the DARPA98 dataset (DARPA 1998), which was generated by the Information System Technology Group (IST) of the Lincoln Laboratory of the MIT with the collaboration of DARPA and ARFL. They built a network to simulate a real situation of network traffic containing normal traffic and attacks. They used Tcpdump (Jacobson et al. 1989) to sniff the network and stored all the packets belonging to network traffic in a tcpdump file. Lee generated the UCI format Kddcup99 database identifying connections and aggregating information belonging to them. He included three kinds of features for each connection: intrinsic variables (those obtained by examining the packets' TCP/IP structure such as protocol, length, urgent bit; traffic variables which take into account header information of preceding connections contained in a window of some specific size; and, finally, content variables obtained by examining the payload of some particular services, such as number of failed logins, number of file creations, etc. Kddcup99 database processes a huge amount of information from DARPA98 dataset and stores it in a format suitable for most machine learning algorithms, but, it does not store the original payload information. The only payload based information it keeps is in the content variables (C). This is obviously not a general solution. We reprocessed the DARPA98 database, based on Lee 1999 and using Bro (Paxson 1998), to add information from the original DARPA98 to Kddcup99 database. In this new database, each connection will have the intrinsic and traffic variables of Kddcup99 added to all the payload data corresponding to it. The aim of this work was to replace the manually drawn information the content variables provide by automatic payload processing. Due to the huge size of the original Kddcup99 database (about 5,000,000 connections), most authors performed their experiments using a sample of the original dataset. This sample contains about the 10% of the connections. Similarly, we extracted a stratified sample of about 10% of the size of the original one. Since our goal is to find the non-flood attacks, and the DARPA98 is overloaded with flood attacks, we filtered all the flood attacks in the dataset. Thus, we worked with a database of 178,810 examples, where 3,937 examples belong to intrusions of 27 different kinds. We show in the first two columns in Table 1 the information about the kind of attacks and their frequency.
5. EXPERIMENTAL RESULTS The aim of this work was to evaluate the performance of the PST algorithm as a tool for unsupervised anomaly detection based on payload. And then, to build an efficient nIDS combining it with the system built based on packet header information. As first approximation we used only the payload information to build classifiers. We built classifiers using the specific content variables (C) defined in Kddcup99 and Fixed-Width algorithm on the one hand, and, on the other hand, we built PSTs using the ASCII character sequences appearing in the payload. In Table 1 we also included results of another option based directly on the sequence representation of payload: NCD (Li et al. 2004) distance combined with Fixed-Width for clustering (Perona et al. 2008). We also generated and included results obtained using just intrinsic and traffic variables (IT) as baseline. We experimented with the whole database, that is, normal traffic data plus data from 27 different kinds of attacks. We evaluated the results based on the ROC curves and the Areas Under ROC Curves, or AUC values, obtained (Fawcett 2004). To compute the ROC of just a single attack type, we ignored the examples belonging to other attack types. For each option we present detection rates of each type of attack separately, minimum AUC achieved with each model and average of the achieved AUC. The rows in Table 1 belong to different attack types whereas the columns belong to different systems. The second column in Table 1 shows the number of examples of each type of attack we find in the database, the third one shows AUC values achieved using packet header information (IT) and, next three columns
15
ISBN: 978-972-8924-97-3 © 2009 IADIS
show the results achieved with each methodology based only on payload information. The last three columns show results for complete systems using packet header and payload information. Table 1. AUC values achieved with the different strategies we tried for all the kinds of attacks in the database. attacks anomaly dict dict_simple eject eject-fail ffb ffb_clear format format_clear format-fail ftp-write guest imap land load_clear loadmodule multihop perl_clear perlmagic phf rootkit spy syslog warez teardrop warezclient warezmaster min Average
IT C 9 0.76 1.00 879 0.76 0.99 1 0.65 1.00 11 0.76 0.98 1 0.99 0.80 10 0.80 0.85 1 0.65 1.00 6 0.79 0.75 1 0.52 1.00 1 0.98 1.00 8 0.88 0.73 50 0.77 1.00 7 0.90 0.80 35 0.92 0.80 1 0.65 1.00 8 0.70 0.84 9 0.72 0.74 1 0.95 1.00 4 0.66 1.00 5 0.90 0.50 29 0.88 0.81 2 0.71 0.80 4 0.82 0.80 1085 0.96 0.31 1 0.82 0.65 1749 0.81 0.68 19 0.94 0.75 0.52 0.31 0.802 0.837
NCD PST 0.88 1.00 0.82 1.00 0.81 0.99 0.82 1.00 0.48 0.98 0.88 0.92 0.81 1.00 0.93 0.89 0.81 1.00 0.81 1.00 0.88 0.71 0.85 0.99 0.70 0.99 0.48 0.98 0.81 0.99 0.71 0.93 0.78 0.89 0.81 0.99 0.83 0.99 0.71 0.93 0.77 0.94 0.81 1.00 0.48 0.99 0.48 0.88 1.00 0.98 0.86 0.77 0.87 0.95 0.48 0.71 0.775 0.952
IT+C IT+NCD IT+PST 0.91 0.96 1.00 0.95 0.88 0.96 0.81 0.94 1.00 0.86 0.96 0.98 1.00 0.81 1.00 0.93 0.92 0.95 0.81 0.95 1.00 0.89 0.95 0.95 0.72 0.90 1.00 0.97 1.00 1.00 0.87 0.85 0.93 0.94 0.90 0.97 0.92 0.86 0.98 0.94 0.76 0.99 0.81 0.94 1.00 0.87 0.76 0.92 0.83 0.79 0.91 0.96 0.99 1.00 0.81 0.94 1.00 0.88 0.88 0.97 0.87 0.89 0.97 0.86 0.85 0.95 0.85 0.70 0.98 0.98 0.78 0.98 0.85 0.97 0.98 0.83 0.88 0.92 0.96 0.97 0.97 0.83 0.70 0.85 0.933 0.86 0.953
In general terms, the first conclusion that can be drawn from this processing is that although no context knowledge is used and simple processing is performed, the option we selected in this work for modeling payload in a general way (PST) was able to differentiate between normal traffic and intrusions and besides, it did it better than any of the two other payload based options: the model built based on NCD distance and Fixed-Width (NCD) and the one built with data obtained using context specific knowledge for processing payload (C). Moreover it achieved higher detection rates that the system based on packet header information (IT). It achieved the best average AUC and the highest value in the row with minimum AUC. It achieved AUC values of 0.71 or bigger for all the kinds of attacks whereas the rest of the payload based options have minimum values smaller than 0.5 which means that for some kind of attack they achieved worse results than a random classifier would (the IT option achieves a minimum AUC of 0.52 and this means that at least for one of the attacks it behaves similar to a random classifier). Different techniques showed the ability to detect different kinds of attacks, and based on previous experience, we knew that it is possible to integrate the knowledge of the payload based techniques and the packet header based technique to improve the original results. Thus, we combined by averaging scores (Perona et al. 2008) the results obtained with Intrinsic and Traffic variables (IT), with the results obtained with Content variables on the one hand (IT+C), and, with results obtained with NCD (IT+NCD) and PST (IT+PST) on the other hand. As it can be observed, all the combinations contributed to increase the overall AUC values. Above all, the minimum AUC value increased in the three cases and this means that the system using this nIDS will be better protected against any kind of attack. The combination with PST achieved the best results with average AUC of 0.953. Furthermore, it was able to detect any kind of attacks because the minimum AUC, taking into account all types of attacks, was 0.85. Whereas the IT+C option achieved an average AUC of 0.933 and minimum value of 0.83 and the NCD option achieved 0.86 and 0.70.
16
IADIS International Conference Applied Computing 2009
It is important to analyze the computational efficiency of the best combination (the system is programmed in Java and run in an Pentium 4 with 2.8 GHz and 1 G RAM). In this sense, we should take into account two phases (see Figure 1): the training phase where the two models can be built in parallel: division of the connections in clusters based on IT information and Fixed-Width clustering algorithm on the one hand, and building a PST based on payload information on the other hand. In this phase, the bottleneck is the PST; it takes 12 minutes to build the PST based on 178,810 examples and 9 minutes to divide the same sample in clusters based on Fixed Width algorithm. The second phase would be the exploitation phase, where new connections need to be tested with the models in order to obtain the corresponding score or anomality degree. In this phase the PST clearly outperforms the Fixed-Width; more than 8,000 connections can be tested per second whereas in the case of the clusters only 200 connections per second are tested. This means that once the models are built, the best performance would be achieved at a processing speed of 200 connections per second. Furthermore, looking to the results in Table 1 –just the part of the system using the payload information and the PST achieves the second best results– we could conclude that the best performance/efficiency trade off will be achieved using just the PST part of the system; an average AUC value of 0.95 processing more than 8,000 connections per second.
6. CONCLUSIONS AND FURTHER WORK The experimentation presented in this paper proves that a general payload processing methodology, using directly the sequences of ASCII characters and Probabilistic Suffix Trees, is more efficient than the specific payload processing done in Kddcup99 for intrusion detection in an unsupervised anomaly detection context and another option based on NCD. The experimentation showed that PST was able to detect attacks more efficiently in both cases: when used on its own and when combined with the information of intrinsic and traffic variables. It achieved higher average AUC, higher minimum values and it was the system detecting more efficiently more kinds of attacks: 14 vs 9 and 4 respectively. The combination of payload based systems with the packet header based system always improved the performance of the system. In the case of PST, IT+PST, the combined system achieved an average AUC of 0.953 whereas the average AUC achieved with the best option for ad hoc processing, IT+C, was 0.933. Furthermore, IT+PST option was able to detect any kind of attacks because the minimum AUC, taking into account all types of attacks, was 0.85. Moreover, the proposed option was computationally cheap since there is not need of preprocessing for payload and the PST is efficient to detect outliers. Based on previous experience we combined the classifiers averaging scores but this is an area where a deeper analysis can be carried out and more sophisticated approaches tried. The possibility of using other clustering algorithms and the optimization of their parameters is also an area where more work can be done.
ACKNOWLEDGEMENTS The work described in this paper was partly done under the University of the Basque Country, project EHU 08/08. It was also funded by the FPI program of the Basque Government.
REFERENCES Ashfaq B., Robert Ma . J., Mumtaz A., Ali M. Q., Sajjad A., Khayam A., 2008. A Comparative Evaluation of Anomaly detectors under portscan Attacks. Proc. of RAID 2008. Dagorn N., 2008. WebIds: A Cooperative Bayesian Anomaly Based Intrusion Detection System for Web Applications. Proc. of RAID 2008. DARPA, 1998. MIT Lincoln Laboratory - DARPA Intrusion Detection Evaluation, \url{http://www.ll.mit.edu/IST/ideval/index.html}. Accessed 29 Sep 2008. Eskin E., Arnold A., Prerau M., Portnoy L., Stolfo S., 2002. A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabelled data. Data Mining for Security Applications.
17
ISBN: 978-972-8924-97-3 © 2009 IADIS
Fawcett T., 2004. ROC graphs: notes and practical considerations for researchers. Technical Report HPL-2003-4. HP Laboratories, Palo Alto, CA, USA. Hodge V.J., Austin J., 2004. A Survey of Outlier Detection Methodologies. Artificial Intelligence Review 22, 85—126. Jacobson V., Leres C., McCanne S., 1989. Tcpdump. Available via anonymous ftp to \url{ftp.ee.lbl.gov}. Accessed 29 Sep 2008. KDD99-Cup. 1999. The third international knowledge discovery and data mining tools competition dataset, \url{http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html}. Accessed 29 Sep 2008. Krügel C., Toth T., Kirda E., 2002. Service specific anomaly detection for network intrusion detection. Proc. ACM Symposium on Applied Computing. Lee W., Stolfo S.J., Mok K., 1999. Data mining in work flow environments. Experiences in intrusion detection. Proc. of the Conference on Knowledge Discovery and Data Mining. Lee W., 1999. A data mining framework for constructing features and models for intrusion detection systems. Ph.D. thesis, Columbia University. Leung K., Leckie C., 2005. Unsupervised anomaly detection in network intrusion detection using clusters. Proc. Australian Computer Science Conference. Li M., Chen X., Li X., Ma B., Vitanyi P.M.B., 2004. The similarity metric. IEEE Transactions on Information Theory 50, 3250—3264. Noh S., Jung G., Choi K., Lee C., 2008. Compiling network traffic into rules using soft computing methods for the detection of flooding attacks. Applied Soft Computing 8(3), 1200—1210. Paxson V., 1998. Bro: a system for detecting network intruders in real-time. Computer Networks 31, 23—24. Perona I., Gurrutxaga I., Arbelaitz O., MartinJ.I., Muguerza J., Perez J.M., 2008. Service-independent payload analysis to improve intrusion detection in network traffic. Proc. of the 7th Australasian Data Mining Conference (AusDM08). Portnoy L., Eskin E., Stolfo S., 2001. Intrusion detection with unlabeled data using clustering. Proc. ACM Workshop on Data Mining Applied to Security. Rehak M., Pechoucek M., Bartos K., Grill M., Celeda P., Krmicek V., 2008. Improving Anomaly Detection Error Rate by Collective Trust Modeling. Proc. of RAID 2008. Ron D., Singer Y., Tishby N., 1996 The power of amnesia: Learning probabilistic automata with variable memory length. Machine Learning 25, 117-149. Spath H. 1980. Cluster analysis algorithms. Ellis Horwood, Chichester, UK. Sun P., Chawla S., Arunasalam B., 2006. Mining for outliers in sequential databases. Proc. Of SIAM SDM 06 Conference. Waizumi Y., Tsuji M., Tsunoda H., Ansari N., Nemoto Y., 2007. Distributed Early Worm Detection Based on Payload Histograms. Proc of the IEEE International Conference ICC'07. Wang K., Stolfo S., 2004. Anomalous payload-based network intrusion detection. Proc. International Symposium on Recent Advances in Intrusion Detection. Warrender C., Forrest S., Pearlmutter B., 1999. Detecting intrusions using system calls: alternative data models. Proc. of IEEE Symposium on Security and Privacy.
18
