Skip to main content
SpringerLink
Log in
Book cover

International Conference on Case-Based Reasoning

ICCBR 2007: Case-Based Reasoning Research and Development pp 269–283Cite as

Case-Based Anomaly Detection

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 4626))

Abstract

Computer and network security is an extremely active and productive research area. Scientists from all over the world address the pertaining issues, using different types of models and methods. In this article we illustrate a case-based approach where the normal user-computer interaction is read like snapshots regarding a reduced number of instances of the same application, attack-free and sufficiently different from each other. The generic case representation is obtained by interpreting in numeric form the arguments and parameters of system calls deemed potentially dangerous. The similarity measure between a new input case and the ones stored in the case library is achieved through the calculation of the Earth Mover’s Distance between the corresponding feature distributions, obtained by means of cluster analysis.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abraham, T.: IDDM: Intrusion Detection using Data Mining Techniques. Technical Report DSTO-GD-0286, DSTO Electronics and Surveillance Research Laboratory (May 2001)

    Google Scholar 

  2. Axelsson, S., Lindqvist, U., Gustafson, U., Jonsson, E.: An Approach to UNIX Security Logging. In: Proceedings of the 21st NIST-NCSC National Information Systems Security Conference, Crystal City, VA, October 1998, pp. 62–75 (1998)

    Google Scholar 

  3. Barbara, D., Wu, N., Jajodia, S.: Detecting Novel Network Intrusions using Bayes Estimators. In: Proceedings of the First SIAM Conference on Data Mining, Chicago, IL (April 2001)

    Google Scholar 

  4. Couch, A.: Visualizing Huge Tracefiles with Xscal. In: LISA 1996. 10th Systems Administration Conference, pp. 51–58. Chicago, IL, October 1996 (1996)

    Google Scholar 

  5. Debar, H., Becker, M., Siboni, D.: A Neural Network Component for an Intrusion Detection System. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1992, pp. 240–250. IEEE Computer Society Press, Los Alamitos (1992)

    Chapter  Google Scholar 

  6. Denning, D.: An Intrusion Detection Model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)

    Article  Google Scholar 

  7. Dowell, C., Ramstedt, P.: The ComputerWatch Data Reduction Tool. In: Proceedings of the 13th National Computer Security Conference, Washington, DC, October 1990, pp. 99–108 (1990)

    Google Scholar 

  8. Erbacher, R.: Visual Traffic Monitoring and Evaluation. In: Proceedings of the Second Conference on Internet Performance and Control of Network Systems, Denver, CO, August 2001, pp. 153–160 (2001)

    Google Scholar 

  9. Esmaili, M., Safavi-Naini, R., Balachandran, B.M.: AUTOGUARD: A Continuous Case-Based Intrusion Detection System. In: Proceedings of the 20th Australasian Computer Science Conference (1997)

    Google Scholar 

  10. Smeulders, A.W., et al.: Content-Based Image Retrieval at the End of the Early Years. IEEE Transactions on Pattern Analysis and Machine Intelligence 22(12), 1349–1380 (2000)

    Article  Google Scholar 

  11. Nyarko, K., et al.: Network Intrusion Visualization with NIVA, an Intrusion Detection Visual Analyzer with Haptic Integration. In: Proceedings of the 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems, Orlando, FL (2002)

    Google Scholar 

  12. Esmaili, M., et al.: Case-Based Reasoning for Intrusion Detection. In: Proceedings of the 12th Annual Computer Security Applications Conference, San Diego, CA (1996)

    Google Scholar 

  13. Forrest, S.: A Sense of Self for UNIX Processes. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, pp. 120–198. IEEE Computer Society Press, Los Alamitos (1996)

    Google Scholar 

  14. Forsyth, D., Ponce, J.: Computer Vision: A Modern Approach. Prentice-Hall, Upper Saddle River, NJ (2003)

    Google Scholar 

  15. Frincke, D., Tobin, D., McConnell, J., Marconi, J., Polla, D.: A Framework for Cooperative Intrusion Detection. In: Proceedings of the 21st National Information Systems Security Conference, Crystal City, VA, October 1998, pp. 361–373 (1998)

    Google Scholar 

  16. Girardin, L., Brodbeck, D.: A Visual Approach for Monitoring Logs. In: LISA XII. Proceedings of the Second Systems Administration Conference, Boston, MA, October 1998, pp. 299–308 (1998)

    Google Scholar 

  17. Hughes, D.: Using Visualization in System and Network Administration. In: LISA ’96. Proceedings of the 10th Systems Administration Conference, Chicago, IL, October 1996, pp. 59–66 (1996)

    Google Scholar 

  18. Javitz, H.S., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1991, IEEE Computer Society Press, Los Alamitos (1991)

    Google Scholar 

  19. Karam, G.: Visualization using Timelines. In: Proceedings of the International Symposium on Software Testing and Analysis, Seattle, WA (August 1994)

    Google Scholar 

  20. Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)

    Google Scholar 

  21. MIT Lincoln Laboratory. DARPA Intrusion Detection Evaluation Data Set (1999), http://www.ll.mit.edu/IST/ideval

  22. Lunt, T.: Real-time Intrusion Detection. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, April 1988, IEEE Computer Society Press, Los Alamitos (1988)

    Google Scholar 

  23. McHugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transaction on Information and System Security 3(4) (2000)

    Google Scholar 

  24. Mizoguchi, F.: Anomaly Detection Using Visualization and Machine Learning. In: Proceedings of the 9th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000), Gaithersburg, MD, pp. 165–170 (March 2000)

    Google Scholar 

  25. Noel, S., Wijesekera, D., Youman, C.: Applications of Data Mining in Computer Security. In: chapter Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt, pp. 2–25. Kluwer Academic Publisher, Boston, MA (2002)

    Google Scholar 

  26. Porras, P., Neumann, P.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proceedings of the 20th National Information Systems Security Conference, Baltimore, MA (October 1997)

    Google Scholar 

  27. Rubner, Y., Tomasi, C., Guibas, L.J.: A Metric for Distributions with Applications to Image Databases. In: Proceedings of the IEEE International Conference on Computer Vision, Bombay, India, pp. 59–66 (January 1998)

    Google Scholar 

  28. Rubner, Y., Tomasi, C., Guibas, L.J.: The Earth Mover’s Distance as a Metric for Image Retrieval. International Journal of Computer Vision 28(40), 99–121 (2000)

    Article  Google Scholar 

  29. Sarle, W.S.: Neural Networks and Statistical Models. In: Proceedings of the Nineteenth Annual SAS Users Group International Conference, Cary, NC, pp. 1538–1550 (April 1994)

    Google Scholar 

  30. Shapiro, L.G., Stockman, G.C.: Computer Vision. Prentice-Hall, Inc., Upper Saddle River, NJ (2001)

    Google Scholar 

  31. Snapp, S.: DIDS (Distributed Intrusion Detection System): Motivation, Architecture and An Early Prototype. In: Proceedings of the National Information Systems Security Conference, Washington, D.C., pp. 167–176 (October 1991)

    Google Scholar 

  32. Takada, T., Koike, H.: Tudumi: Information Visualization System for Monitoring and Auditing Computer Logs. In: Proceedings of the 6th International Conference on Information Visualization (IV 2002), London, England, pp. 570–576 (July 2002)

    Google Scholar 

  33. Tan, K., Killourhy, K., Maxion, R.: Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  34. Tan, K., Maxion, R.: ”Why 6?” Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector. In: Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA, pp. 188–202 (May 2002)

    Google Scholar 

  35. Vaccaro, H., Liepins, G.: Detection of Anomalous Computer Session Activity. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, pp. 208–209 (May 1989)

    Google Scholar 

  36. Varner, P.E., Knight, J.C.: Security Monitoring, Visualization, and System Survivability. In: 4th Information Survivability Workshop (ISW-2001/2002), Vancouver, Canada (March 2002)

    Google Scholar 

  37. Veltkamp, R.C., Tanase, M.: Content-Based Image Retrieval Systems: A Survey. Technical Report 2000-34, UU-CS, Utrecht, Holland (October 2000)

    Google Scholar 

  38. Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, pp. 40–47 (2001)

    Google Scholar 

  39. Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, D.C., pp. 255–264 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Automation, Artificial Intelligence Laboratory, Roma Tre University, Via della Vasca Navale, 79, 00146 Rome, Italy

    Alessandro Micarelli & Giuseppe Sansonetti

Authors
  1. Alessandro Micarelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giuseppe Sansonetti
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Rosina O. Weber Michael M. Richter

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Micarelli, A., Sansonetti, G. (2007). Case-Based Anomaly Detection. In: Weber, R.O., Richter, M.M. (eds) Case-Based Reasoning Research and Development. ICCBR 2007. Lecture Notes in Computer Science(), vol 4626. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74141-1_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-74141-1_19

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-74138-1

  • Online ISBN: 978-3-540-74141-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation