By Topic

Cross-level behavioral analysis for robust early intrusion detection

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Shun-Wen Hsiao ; Dept. of Inf. Manage., Nat. Taiwan Univ., Taipei, Taiwan ; Sun, Y.S. ; Meng Chang Chen ; Hui Zhang

We anticipate future attacks would evolve to become more sophisticated to outwit existing intrusion detection techniques. Existing anomaly analysis techniques and signature-based detection practices can no longer effective. We believe intrusion detection systems (IDSs) of the future will need to be capable to detect or infer attacks based on more valuable information from the network-related properties and characteristics. We observed that even though the signatures or traffic patterns of future stealthy attacks can be modified to outwit current IDSs, certain behavioral aspects of an attack are invariant. We propose a novel approach that jointly monitors network activities at three different levels: transport layer protocols, (vulnerable) network services, and invariant anomaly behaviors (called attack symptoms). Our system, SecMon, captures the network behaviors by simultaneously performing cross-level state correlation for effective detection of anomaly behaviors. For the most part, the invariant anomaly behavior has not been fully exploited in the past. A probabilistic attack inference model is also proposed for attack assessment by correlating the observed attack symptoms to achieve the low false alarm rate. The evaluations demonstrate our prototype system is efficient and effective for sophisticated attacks, including polymorphism, stealthy, and unknown attack.

Published in:

Intelligence and Security Informatics (ISI), 2010 IEEE International Conference on

Date of Conference:

23-26 May 2010