Show simple item record

dc.contributor.advisorChan, Philip K.
dc.contributor.authorMahoney, Matthew V.
dc.contributor.authorChan, Philip K.
dc.date.accessioned2013-11-03T23:16:12Z
dc.date.available2013-11-03T23:16:12Z
dc.date.issued2002-04-29
dc.identifier.citationMahoney, M.V., Chan, P.K. (2002). Learning nonstationary models of normal network traffic for detecting novel attacks (CS-2002-06). Melbourne, FL. Florida Institute of Technology.en_US
dc.identifier.otherCS-2002-06
dc.identifier.urihttp://hdl.handle.net/11141/106
dc.description.abstractTraditional intrusion detection systems (IDS) detect attacks by comparing current behavior to signatures of known attacks. One main drawback is the inability of detecting new attacks which do not have known signatures. In this paper we propose a learning algorithm that constructs models of normal behavior from attack-free network traffic. Behavior that deviates from the learned normal model signals possible novel attacks. Our IDS is unique in two respects. First, it is nonstationary, modeling probabilities based on the time since the last event rather than on average rate. This prevents alarm floods. Second, the IDS learns protocol vocabularies (at the data link through the application layers) in order to detect unknown attacks that attempt to exploit implementation errors in poorly tested features of the target software. On the 1999 DARPA IDS evaluation data set [9], we detect 70 out of 180 attacks (with 100 false alarms), about evenly divided between user behavior anomalies (IP addresses and ports, as modeled by most other systems) and protocol anomalies. Because our methods are unconventional, there is a significant non-overlap of our IDS with the original DARPA participants, which implies that they could be combined to increase coverage.en_US
dc.language.isoen_USen_US
dc.rightsCopyright held by authors.en_US
dc.titleLearning nonstationary models of normal network traffic for detecting novel attacksen_US
dc.typeTechnical Reporten_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record