Metadata for Anomaly-Based Security Protocol Attack Deduction

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Tysen Leckie Articles by Alec Yasinsac

September 2004 (vol. 16 no. 9)

pp. 1157-1168

	ASCII Text	x
	Tysen Leckie, Alec Yasinsac, "Metadata for Anomaly-Based Security Protocol Attack Deduction," IEEE Transactions on Knowledge and Data Engineering, vol. 16, no. 9, pp. 1157-1168, September, 2004.

	BibTex	x
	@article{ 10.1109/TKDE.2004.43, author = {Tysen Leckie and Alec Yasinsac}, title = {Metadata for Anomaly-Based Security Protocol Attack Deduction}, journal ={IEEE Transactions on Knowledge and Data Engineering}, volume = {16}, number = {9}, issn = {1041-4347}, year = {2004}, pages = {1157-1168}, doi = {http://doi.ieeecomputersociety.org/10.1109/TKDE.2004.43}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Knowledge and Data Engineering TI - Metadata for Anomaly-Based Security Protocol Attack Deduction IS - 9 SN - 1041-4347 SP1157 EP1168 EPD - 1157-1168 A1 - Tysen Leckie, A1 - Alec Yasinsac, PY - 2004 KW - Anomaly detection KW - security protocols KW - user profile KW - behavioral analysis. VL - 16 JA - IEEE Transactions on Knowledge and Data Engineering ER -

Tysen Leckie, IEEE

Alec Yasinsac, IEEE

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TKDE.2004.43

Anomaly-based Intrusion Detection Systems (IDS) have been widely recognized for their potential to prevent and reduce damage to information systems. In order to build their profiles and to generate their requisite behavior observations, these systems rely on access to payload data, either in the network or on the host system. With the growing reliance on encryption technology, less and less payload data is available for analysis. In order to accomplish intrusion detection in an encrypted environment, a new data representation must emerge. In this paper, we present a knowledge engineering approach to allow intrusion detection in an encrypted environment. Our approach relies on gathering and analyzing several forms of metadata relating to session activity of the principals involved and the protocols that they employ. We then apply statistical and pattern recognition methods to the metadata to distinguish between normal and abnormal activity and then to distinguish between legitimate and malicious behavior.

[1] 1157 Presidential Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America's Infrastructures commision report, Oct. 1997, http://www.pccip.govreport_index. html.[2] General Accounting Office, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks GAO/AIMD-96-84, May 1996.[3] A. Yasinsac, An Environment for Security Protocol Intrusion Detection J. Computer Security, vol. 10, nos. 1-2, pp. 177-188, Jan. 2002.[4] S. Goregaoker, A Method for Detecting Intrusions on Encrypted Traffic Technical Report TR-010703, Computer Science Dept., Florida State Univ., 2001.[5] A. Melendez, The Monitor and Principals Technical Report TR-010701, Computer Science Dept., Florida State Univ., 2001.[6] N. Patel, Knowledge Base for Intrusion Detection System Technical Report TR-011203, Computer Science Dept., Florida State Univ., 2001.[7] A. Jones and S. Li, Temporal Signatures for Intrusion Detection Proc. 17th Ann. Computer Security Applications Conf., pp. 252-261, Dec. 2001.[8] D. Denning, An Intrusion-Detection Model Proc IEEE CS Symp. Research in Security and Privacy, pp. 118-132, Apr. 1986.[9] A.K. Ghosh, J. Wanken, and F. Charron, Detecting Anomalous and Unknown Intrusions Against Programs Proc. 1998 Computer Security Applications Conf., pp. 259-267, 1998.[10] D. Barbara, J. Couto, S. Jajodia, L. Popyack, and N. Wu, ADAM: Detecting Intrusions by Data Mining Proc. 2001 IEEE Workshop Information Assurance and Security, pp. 11-16, June 2001.[11] D. Anderson, T. Frivold, and A. Valdes, Next-Generation Intrusion Detection Expert System (NIDES) A Summary http://www.sdl.sri.com/papers/4/s/4sri4sri.pdf , Computer Science Laboratory, SRI Int'l, May 1995.[12] L. Kohout, A. Yasinsac, and E. McDuffie, Activity Profiles for Intrusion Detection Proc. North Am. Fuzzy Information Processing Society-Fuzzy Logic and the Internet (NAFIPS-FLINT 2002), June 2002.[13] T. Lunt and R. Jagannathan, A Prototype Real-Time Intrusion-Detection Expert System Proc. IEEE Symp. Security and Privacy, pp. 59-66, Apr. 1988.[14] P.A. Porras and P.G. Neumann, EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances Proc. Nat'l Information Systems Security Conf., pp. 353-365, Oct. 1997.[15] U. Lindqvist and P.A. Porras, “Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST),” Proc. 1999 IEEE Symp. Security and Privacy, May 1999.[16] V. Hallivuori and M. Kousa, Denial of Service Attack against SSH Key Exchange Telecomm. Software and Multimedia Laboratory, Helsinki Univ. of Tech nology, Nov 2001.[17] G. Lowe, Some New Attacks upon Security Protocols Proc. Ninth IEEE Computer Security Foundations Workshop, pp. 162-169, Mar. 1996.[18] P. Syverson, A Taxonomy of Replay Attacks Proc Seventh Computer Security Foundations Workshop, pp. 131-136, June 1994.[19] D. Wagner and B. Schneier, Analysis of SSL 3.0 Protocol Proc. Second USENIX Workshop Electronic Commerce, pp. 29-40, Nov. 1996.[20] T.Y.C. Woo and S.S. Lam, "Authentication for distributed systems," Computer, vol. 25, no. 1, pp. 39-52, Jan. 1992.[21] M. Abadi and R. Needham, Prudent Engineering Practice for Cryptographic Protocols Proc. 1994 IEEE CS Symp. Research in Security and Privacy, pp. 122-136, 1994.[22] W. Lee and S.J. Stolfo, Data Mining Approaches for Intrusion Detection Proc. Seventh USENIX Security Symp., pp. 26-29, Jan. 1998.[23] W. Lee and S.J. Stolfo, A Framework for Constructing Features and Models for Intrusion Detection Systems Proc. ACM Trans. Information and System Security, pp. 227-261, Nov. 2000.[24] N. Ye and Q. Chen, An Anomaly Detection Technique Based on a Chi-Square Statistic for Detecting Intrusions into Information Systems Proc. Quality and Reliability Eng. Int'l, vol. 17, no. 2, pp. 105-112, 2001.[25] T. Daniels and E.H. Spafford, Identification of Host Audit Data to Detect Attacks on Low-level IP J. Computer Security, vol. 7, no. 1, 1999.[26] U. Lindqvist and P.A. Porras, “Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST),” Proc. 1999 IEEE Symp. Security and Privacy, May 1999.[27] S. Hofmeyr, S. Forrest, and A. Somayaji, Intrusion Detection Using Sequences of System Calls J. Computer Security, no. 6, pp. 151-180, 1998.[28] S. Kumar and E.H. Spafford, An Application of Pattern Matching in Intrusion Detection Technical Report CSD-TR-94-013, Dept. Computer Sciences, Purdue Univ., 1994.[29] R.A. Wagner and M.J. Fischer, The String-to-String Correction Problem J. ACM, vol. 21, pp. 168-178, Jan. 1974.[30] R.A. Baeza-Yates and G.H. Gonnet, A New Approach to Text Searching Proc. 12th Ann. ACM-SIGIR Conf. Information Retrieval, pp. 168-175, June 1989.[31] S. Wu and U. Manber, Fast Text Searching With Errors Technical Report TR. 91-11, Dept. of Computer Science, Univ. of Arizona, 1991.

Index Terms:

Anomaly detection, security protocols, user profile, behavioral analysis.

Citation:

Tysen Leckie, Alec Yasinsac, "Metadata for Anomaly-Based Security Protocol Attack Deduction," IEEE Transactions on Knowledge and Data Engineering, vol. 16, no. 9, pp. 1157-1168, Sept. 2004, doi:10.1109/TKDE.2004.43

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.