Data Mining and Knowledge Engineering

Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

Combination of Misuse and Anomaly Intrusion Detection Systems


Affiliations
1 Department of IT, EGSPEC, Nagapattinam, India
     

   Subscribe/Renew Journal


This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS) to provide the cyber security. This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and the ability of anomaly detection system (ADS) to detect novel unknown attacks. By mining anomalous traffic episodes from Internet connections, build an ADS that detects anomalies beyond the capabilities of signature-based SNORT or Bro systems. A weighted signature generation scheme is developed to integrate ADS with SNORT by extracting signatures from anomalies detected. HIDS extracts signatures from the output of ADS and adds them into the SNORT signature database for fast and accurate intrusion detection. By testing this HIDS scheme over real-life Internet trace data mixed with 10 days of Massachusetts Institute of Technology/Lincoln Laboratory (MIT/LL) attack data set, our experimental results show a 60 percent detection rate of the HIDS, compared with 30 percent and 22 percent in using the SNORT and Bro systems, respectively. This sharp increase in detection rate is obtained with less than 3 percent false alarms.
The signatures generated by ADS upgrade the SNORT performance by 33 percent. The HIDS approach proves the vitality of detecting intrusions and anomalies, simultaneously, by automated data mining and signature generation over Internet connection episodes.

Keywords

Network Security, Anomaly Detection, Signature Generation, SNORT and BRO Systems, False Alarms, Internet Episodes and Traffic Data Mining.
User
Subscription Login to verify subscription
Notifications
Font Size

Abstract Views: 171

PDF Views: 2




  • Combination of Misuse and Anomaly Intrusion Detection Systems

Abstract Views: 171  |  PDF Views: 2

Authors

B. Saravanakumaran
Department of IT, EGSPEC, Nagapattinam, India

Abstract


This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS) to provide the cyber security. This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and the ability of anomaly detection system (ADS) to detect novel unknown attacks. By mining anomalous traffic episodes from Internet connections, build an ADS that detects anomalies beyond the capabilities of signature-based SNORT or Bro systems. A weighted signature generation scheme is developed to integrate ADS with SNORT by extracting signatures from anomalies detected. HIDS extracts signatures from the output of ADS and adds them into the SNORT signature database for fast and accurate intrusion detection. By testing this HIDS scheme over real-life Internet trace data mixed with 10 days of Massachusetts Institute of Technology/Lincoln Laboratory (MIT/LL) attack data set, our experimental results show a 60 percent detection rate of the HIDS, compared with 30 percent and 22 percent in using the SNORT and Bro systems, respectively. This sharp increase in detection rate is obtained with less than 3 percent false alarms.
The signatures generated by ADS upgrade the SNORT performance by 33 percent. The HIDS approach proves the vitality of detecting intrusions and anomalies, simultaneously, by automated data mining and signature generation over Internet connection episodes.

Keywords


Network Security, Anomaly Detection, Signature Generation, SNORT and BRO Systems, False Alarms, Internet Episodes and Traffic Data Mining.