lazarevic03sdm

lazarevic03sdm - A Comparative Study of Anomaly Detection...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection Aleksandar Lazarevic, Aysel Ozgur, Levent Ertoz, Jaideep Srivastava, Vipin Kumar Department of Computer Science Department, University of Minnesota, 200 Union Street SE, Minneapolis, MN 55455, USA aleks@cs.umn.edu, aysel@cs.umn.edu, ertoz@cs.umn.edu, srivasta@cs.umn.edu, kumar@cs.umn.edu Abstract. Intrusion detection corresponds to a suite of techniques that can be used to identify attacks against computers and network infrastructures. Anomaly detection is a key element of intrusion detection systems in which perturbations of normal behavior suggest the presence of intentionally or unintentionally induced attacks, faults, defects, etc. Several recently developed anomaly and outlier detection schemes have been proposed for detecting novel attacks whose nature is unknown. To benefit the anomaly detection framework, a procedure for extracting additional useful features is also implemented. In addition, evaluation of anomaly detection algorithms is performed using standard metrics as well as specific metrics that are especially suitable in detecting intrusions that involve multiple network connections. The detailed comparison of anomaly detection algorithms applied to DARPA 1998 Intrusion Detection Evaluation Data demonstrate that depending on the attack type some anomaly detection schemes are more successful in detecting novel anomalies than others. However, during the past few months the most prominent techniques have also been applied to real network data, and they have been very successful in automatically identifying several novel intrusions, which were at the same time reported by CERT (Computer Emergency Response Team/Coordination Center) for additional investigation, since state-of-the-art intrusion detection techniques could not detect them. 1. Introduction As the cost of the information processing and Internet accessibility falls, more and more organizations are becoming vulnerable to a wide variety of cyber threats. According to a recent research survey by CERT/CC [1], cyber attacks have rapidly increased over the past decade. This indicates that there is an urgent need to expand efforts in the battle against cyber terrorism. The most widely deployed methods for detecting cyber terrorist attacks and protecting against cyber terrorism employ signature-based detection techniques. Such methods can only detect previously known attacks that have a corresponding signature, since the signature database has to be manually revised for each new type of attack that is discovered. These limitations have led to an increasing interest in intrusion detection techniques based on data mining [2, 3, 4, 5, 6]. Data mining based intrusion detection techniques generally fall into one of two categories; namely misuse detection and anomaly detection. In misuse detection approaches, each instance in a data set is labeled as normal or intrusion (attack) and a learning algorithm is trained over the labeled data. These approaches are able to
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/10/2012 for the course CSE 5800 taught by Professor Staff during the Fall '09 term at FIT.

Page1 / 14

lazarevic03sdm - A Comparative Study of Anomaly Detection...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online