Issue No.09 - September (2004 vol.16)
Tysen Leckie , IEEE
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TKDE.2004.43
Anomaly-based Intrusion Detection Systems (IDS) have been widely recognized for their potential to prevent and reduce damage to information systems. In order to build their profiles and to generate their requisite behavior observations, these systems rely on access to payload data, either in the network or on the host system. With the growing reliance on encryption technology, less and less payload data is available for analysis. In order to accomplish intrusion detection in an encrypted environment, a new data representation must emerge. In this paper, we present a knowledge engineering approach to allow intrusion detection in an encrypted environment. Our approach relies on gathering and analyzing several forms of metadata relating to session activity of the principals involved and the protocols that they employ. We then apply statistical and pattern recognition methods to the metadata to distinguish between normal and abnormal activity and then to distinguish between legitimate and malicious behavior.
Anomaly detection, security protocols, user profile, behavioral analysis.
Tysen Leckie, "Metadata for Anomaly-Based Security Protocol Attack Deduction", IEEE Transactions on Knowledge & Data Engineering, vol.16, no. 9, pp. 1157-1168, September 2004, doi:10.1109/TKDE.2004.43