Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems

Řehák, Martin; Staab, Eugen; Fusenig, Volker; Pěchouček, Michal; Grill, Martin; Stiborek, Jan; Bartos, Karel; Engel, Thomas

doi:10.1007/978-3-642-04342-0_4

Cited by 19 publications

(12 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The most commonly used model for attack trees is based on propositional logic, cf. [4,16]. Here, we propose an extension of this model to attack-defense trees.…”

Section: Models For Attack-defense Termsmentioning

confidence: 95%

See 1 more Smart Citation

Foundations of Attack–Defense Trees

Kordy

Mauw

Radomirović

et al. 2011

Lecture Notes in Computer Science

188

159

View full text Add to dashboard Cite

show abstract

“…The most commonly used model for attack trees is based on propositional logic, cf. [4,16]. Here, we propose an extension of this model to attack-defense trees.…”

Section: Models For Attack-defense Termsmentioning

confidence: 95%

“…Several different approaches, like propositional logics or multiset interpretations, were proposed in the literature to define semantics for attack trees [4,16,3]. In this section, we extend them to attack-defense trees.…”

Section: Models For Attack-defense Termsmentioning

confidence: 98%

Foundations of Attack–Defense Trees

Kordy

Mauw

Radomirović

et al. 2011

Lecture Notes in Computer Science

188

159

View full text Add to dashboard Cite

show abstract

“…Cretu et al [35] proposed a method that tries to allow the detection sensor to adapt to behaviors of the protected host during the training phase. Rehák et al [36] developed a framework for online monitoring and optimization of IDS based on the insertion of network traffic. Rassam et al [37] proposed two anomaly detection models, namely, Principal Component Classifier-based Anomaly Detection (PCCAD) and adaptive PCCAD for static and dynamic environments.…”

Section: Adaptive and Online Anomaly Intrusion Detectionmentioning

confidence: 99%

Autonomic intrusion detection: Adaptively detecting anomalies over unlabeled audit data streams in computer networks

Wang

Guyet

Quiniou

et al. 2014

Knowledge-Based Systems

View full text Add to dashboard Cite

In this work, we propose a novel framework of autonomic intrusion detection that fulfills online and adaptive intrusion detection over unlabeled HTTP traffic streams in computer networks. The framework holds potential for self-managing: self-labeling, self-updating and self-adapting. Our framework employs the Affinity Propagation (AP) algorithm to learn a subject's behaviors through dynamical clustering of the streaming data. It automatically labels the data and adapts to normal behavior changes while identifies anomalies. Two large real HTTP traffic streams collected in our institute as well as a set of benchmark KDD'99 data are used to validate the framework and the method. The test results show that the autonomic model achieves better results in terms of effectiveness and efficiency compared to adaptive Sequential Karhunen-Loeve method and static AP as well as three other static anomaly detection methods, namely k-NN, PCA and SVM.

show abstract

“…scanning and DDoS attacks) was observed to be the main reason for short, unidirectional one-way flows on both campus and backbone links [28]. Rehák et al [29] uses NetFlow data to fine-tune an Intrusion Detection System (IDS) by periodical insertion of challenges (or fault injections).…”

Section: Related Workmentioning

confidence: 99%

Tracking Malicious Hosts on a 10Gbps Backbone Link

Almgren

John

2012

Information Security Technology for Applications

View full text Add to dashboard Cite

Abstract. We use anonymized flow data collected from a 10Gbps backbone link to discover and analyze malicious flow patterns. Even though such data may be rather difficult to interpret, we show how to bootstrap our analysis with a set of malicious hosts to discover more obscure patterns. Our analysis spans from simple attribute aggregates (such as top IP and port numbers) to advanced temporal analysis of communication patterns between normal and malicious hosts. For example, we found some complex communication patterns that possibly lasted for over a week. Furthermore, several malicious hosts were active over the whole data collection period, despite being blacklisted. We also discuss the problems of working with anonymized data. Given that this type of privacy-sensitive backbone data would not be available for analysis without proper anonymization, we show that it can still offer many novel insights, valuable for both network researchers and practitioners.

show abstract

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems

Cited by 19 publications

References 23 publications

Foundations of Attack–Defense Trees

Foundations of Attack–Defense Trees

Autonomic intrusion detection: Adaptively detecting anomalies over unlabeled audit data streams in computer networks

Tracking Malicious Hosts on a 10Gbps Backbone Link

Contact Info

Product

Resources

About