Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems

Bolzoni, Damiano; Etalle, Sandro; Hartel, Pieter H.

doi:10.1007/978-3-642-04342-0_1

Cited by 31 publications

(20 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Bolzoni et al [2] claim that anomaly-based intrusion detection systems are often inefficient when it comes to classifying the attacks they detect. Therefore, security teams or administrators have to manually process each alert generated by the IDS.…”

Section: A Backgroundmentioning

confidence: 99%

See 1 more Smart Citation

Evaluating K-Means++ Clustering for Anomaly-Based Intrusion Detection Systems-Focus on External Threats

Coughlan¹,

Tucker²,

Nelson³

et al. 2017

Jour. Math. Sci. Adv. Appl.

View full text Add to dashboard Cite

Section: A Backgroundmentioning

confidence: 99%

“…SVM is a set of supervised learning methods used for classification. SVM uses "support vectors" and "margins" to classify data into different groups and then assigns new data to a specific group based on distance (Bolzoni et al [2]). RIPPER is a rule induction algorithm that uses a set of IF-THEN rules.…”

Section: A Backgroundmentioning

confidence: 99%

Evaluating K-Means++ Clustering for Anomaly-Based Intrusion Detection Systems-Focus on External Threats

Coughlan¹,

Tucker²,

Nelson³

et al. 2017

Jour. Math. Sci. Adv. Appl.

View full text Add to dashboard Cite

“…Anomaly detection has been extensively leveraged in developing intrusion detection systems [7,19,22], where for instance Bolzoni et al [7] showed how to automatically and systematically classify detected attacks. The main idea was to compute similarities of the payloads of attack data, and later classify it automatically, semi-automatically, and even manually.…”

Section: Related Workmentioning

confidence: 99%

Securing Application-Level Topology Estimation Networks: Facing the Frog-Boiling Attack

Becker

Seibert

Nita-Rotaru

et al. 2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Peer-to-peer real-time communication and media streaming applications optimize their performance by using application-level topology estimation services such as virtual coordinate systems. Virtual coordinate systems allow nodes in a peer-to-peer network to accurately predict latency between arbitrary nodes without the need of performing extensive measurements. However, systems that leverage virtual coordinates as supporting building blocks, are prone to attacks conducted by compromised nodes that aim at disrupting, eavesdropping, or mangling with the underlying communications. Recent research proposed techniques to mitigate basic attacks (inflation, deflation, oscillation) considering a single attack strategy model where attackers perform only one type of attack. In this work we explore supervised machine learning techniques to mitigate more subtle yet highly effective attacks (frog-boiling, network-partition) that are able to bypass existing defenses. We evaluate our techniques on the Vivaldi system against a more complex attack strategy model, where attackers perform sequences of all known attacks against virtual coordinate systems, using both simulations and Internet deployments.

show abstract

“…Panacea is heuristic-independent and supports user-defined attack classifications as well. This work appears in a refereed conference paper [3], which is joint work with S. Etalle and P.H. Hartel.…”

Section: Discussionmentioning

confidence: 99%

Revisiting anomaly-based network intrusion detection systems

Bolzoni¹

Self Cite

View full text Add to dashboard Cite

Intrusion detection systems (IDSs) are well-known and widely-deployed security tools to detect cyber-attacks and malicious activities in computer systems and networks.A signature-based IDS works similar to anti-virus software. It employs a signature database of known attacks, and a successful match with current input raises an alert. A signature-based IDS cannot detect unknown attacks, either because the database is out of date or because no signature is available yet.To overcome this limitation, researchers have been developing anomaly-based IDSs. An anomaly-based IDS works by building a model of normal data/usage patterns during a training phase, then it compares new inputs to the model (using a similarity metric). A significant deviation is marked as an anomaly. An anomalybased IDS is able to detect previously unknown, or modifications of well-known, attacks as soon as they take place (i.e., so called zero-day attacks) and targeted attacks.Cyber-attacks and breaches of information security appear to be increasing in frequency and impact. Signature-based IDSs are likely to miss an increasingly number of attack attempts, as cyber-attacks diversify. Thus, one would expect a large number of anomaly-based IDSs to have been deployed to detect the newest disruptive attacks. However, most IDSs in use today are still signature-based, and few anomaly-based IDSs have been deployed in production environments.Up to now a signature-based IDS has been easier to implement and simpler to configure and maintain than an anomaly-based IDS, i.e., it is easier and less expensive to use. We see in these limitations the main reason why anomaly-based systems have not been widely deployed, despite research that has been conducted for more than a decade.To address these limitations we have developed SilentDefense, a comprehensive anomaly-based intrusion detection architecture that outperforms competitors not only in terms of attack detection and false alert rates, but it reduces the user vii effort as well. Several integrated components constitute the architecture of SilentDefense: each component can work independently, but they can be plugged into several configurations to offer diverse (automated) facilities to users, thus reducing user effort. In particular, SilentDefense:• improves the well-known detection algorithm PAYL (for the HTTP protocol, from 90% up to 100% detection rate and from 0,17% down to 0,0016% false alert rate) by adding a neural network that pre-processes network traffic;• reduces the number of false positive alerts (between 50% and 100% fewer alerts) by correlating alerts generated by an intrusion detection system (be it signature-or anomaly-based) monitoring the incoming traffic with a contentbased analysis of the outgoing traffic;• automatically generates regular expressions to validate incoming HTTP requests, that users can edit to tune the anomaly-based detection engine;• automates the classification of anomaly-based alerts by extracting the payload of previous alerts which can be classified using both...

show abstract

Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems

Cited by 31 publications

References 24 publications

Evaluating K-Means++ Clustering for Anomaly-Based Intrusion Detection Systems-Focus on External Threats

Evaluating K-Means++ Clustering for Anomaly-Based Intrusion Detection Systems-Focus on External Threats

Securing Application-Level Topology Estimation Networks: Facing the Frog-Boiling Attack

Revisiting anomaly-based network intrusion detection systems

Contact Info

Product

Resources

About