Access the full text.
Sign up today, get DeepDyve free for 14 days.
Zonghua Zhang, P. Ho (2009)
Janus: A dual-purpose analytical model for understanding, characterizing and countermining multi-stage collusive attacks in enterprise networksJ. Netw. Comput. Appl., 32
A. Cárdenas, J. Baras, K. Seamon (2006)
A framework for the evaluation of intrusion detection systems2006 IEEE Symposium on Security and Privacy (S&P'06)
ACM Transactions on Autonomous and Adaptive Systems
Phillip Porras, P. Neumann (1997)
EMERALD: Event Monitoring Enabling Responses to Anomalous Live DisturbancesInformation Systems Security
C. Warrender, S. Forrest, Barak Pearlmutter (1999)
Detecting intrusions using system calls: alternative data modelsProceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344)
Nong Ye, Xiangyang Li, Qiang Chen, S. Emran, Mingming Xu (2001)
Probabilistic techniques for intrusion detection based on computer audit dataIEEE Trans. Syst. Man Cybern. Part A, 31
O. Kreidl, T. Frazier (2004)
Feedback control applied to survivability: a host-based autonomic defense systemIEEE Transactions on Reliability, 53
H. Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, W. Gong (2003)
Anomaly detection using call stack information2003 Symposium on Security and Privacy, 2003.
Marcus Hutter (2003)
Optimality of Universal Bayesian Sequence Prediction for General Loss and AlphabetJ. Mach. Learn. Res., 4
J. Haines, D. Ryder, L. Tinnel, Stephen Taylor (2003)
Validation of Sensor Alert CorrelatorsIEEE Secur. Priv., 1
Jonathan Baxter, P. Bartlett (1999)
Direct Gradient-Based Reinforcement Learning: I. Gradient Estimation Algorithms
R. Solomonoff (2008)
Three Kinds of Probabilistic Induction: Universal Distributions and Convergence TheoremsComput. J., 51
P. Helman, G. Liepins (1993)
Statistical Foundations of Audit Trail Analysis for the Detection of Computer MisuseIEEE Trans. Software Eng., 19
D. Yeung, Yuxin Ding (2003)
Host-based intrusion detection using dynamic and static behavioral modelsPattern Recognit., 36
A. Valdes, K. Skinner (2001)
Probabilistic Alert Correlation
(2009)
M - AID : An adaptive middleware built upon anomaly detectors for intrusion detection and rational response
Y. Liao, V. Vemuri (2002)
Use of K-Nearest Neighbor classifier for intrusion detectionComput. Secur., 21
Wenke Lee, Dong Xiang (2001)
Information-theoretic measures for anomaly detectionProceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001
(2003)
A survey of approximate methods for solving partially observable markov decision processes. National ICT Australia rep
(1999)
Darpa intrusion detection data sets
Zonghua Zhang, Hong Shen (2005)
Constructing multi-layered boundary to defend against intrusive anomalies: an autonomic detection coordinator2005 International Conference on Dependable Systems and Networks (DSN'05)
S. Dobson, S. Denazis, Antonio Fernández, D. Gaïti, E. Gelenbe, F. Massacci, P. Nixon, F. Saffre, N. Schmidt, F. Zambonelli (2006)
A survey of autonomic communicationsACM Trans. Auton. Adapt. Syst., 1
M. Huebscher, J. Mccann (2008)
A survey of autonomic computing—degrees, models, and applicationsACM Comput. Surv., 40
G. Gu, Phillip Porras, V. Yegneswaran, Martin Fong, Wenke Lee (2007)
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation
K. Tan, R. Maxion (2002)
"Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detectorProceedings 2002 IEEE Symposium on Security and Privacy
Zonehua Zhang, Xiaodong Lin, P. Ho (2007)
Measuring Intrusion Impacts for Rational Response: A State-based Approach2007 Second International Conference on Communications and Networking in China
J. McHugh (2000)
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln LaboratoryACM Trans. Inf. Syst. Secur., 3
J. Kittler (2005)
Autonomic Communication, 3854
G. White, E. Fisch, U. Pooch (1996)
Cooperating security managers: a peer-based intrusion detection systemIEEE Netw., 10
P. Ning, Yun Cui, D. Reeves, Dingbang Xu (2004)
Techniques and tools for analyzing intrusion alertsACM Trans. Inf. Syst. Secur., 7
Jonathan Baxter, P. Bartlett (2000)
Direct gradient-based reinforcement learning2000 IEEE International Symposium on Circuits and Systems. Emerging Technologies for the 21st Century. Proceedings (IEEE Cat No.00CH36353), 3
S. Forrest, S. Hofmeyr, Anil Somayaji, T. Longstaff (1996)
A sense of self for Unix processesProceedings 1996 IEEE Symposium on Security and Privacy
Jonathan Baxter, Lex Weaver, P. Bartlett (1999)
Direct Gradient-Based Reinforcement Learning: II. Gradient Ascent Algorithms and Experiments
Stefan Axelsson (2000)
The base-rate fallacy and the difficulty of intrusion detectionACM Trans. Inf. Syst. Secur., 3
Nigel Tao, Jonathan Baxter, Lex Weaver (2001)
A Multi-Agent Policy-Gradient Approach to Network Routing
Wenke Lee, Wei Fan, Matthew Miller, S. Stolfo, E. Zadok (2002)
Toward Cost-Sensitive Modeling for Intrusion Detection and ResponseJ. Comput. Secur., 10
(2007)
Received December
G. Giacinto, F. Roli, Luca Didaci (2003)
Fusion of multiple classifiers for intrusion detection in computer networksPattern Recognit. Lett., 24
G. Gu, Prahlad Fogla, D. Dagon, Wenke Lee, B. Škorić (2006)
Measuring intrusion detection capability: an information-theoretic approach
Steven Snapp, S. Smaha, Daniel Teal, T. Grance (1992)
The DIDS (Distributed Intrusion Detection System) Prototype
Sang-Jun Han, Sung-Bae Cho (2003)
Combining Multiple Host-Based Detectors Using Decision Tree
Steven Cheung, Rick Crawford, M. Dilger, Jeremy Frank, James Hoagland, K. Levitt, J. Rowe, Stuart Staniford-Chen, Raymond Yip, Dan Zerkle (2007)
The Design of GrIDS: A Graph-Based Intrusion Detection System
Anomaly-based intrusion detection is about the discrimination of malicious and legitimate behaviors on the basis of the characterization of system normality in terms of particular observable subjects. As the system normality is constructed solely from an observed sample of normally occurring patterns, anomaly detectors always suffer excessive false alerts. Adaptability is therefore a desirable feature that enables an anomaly detector to alleviate, if not eliminate, such annoyance. To achieve that, we either design self-learning anomaly detectors to capture the drifts of system normality or develop postprocessing mechanisms to deal with the outputs. As the former methodology is usually scenario- and application-specific, in this article, we focus on the latter one. In particular, our design starts from three key observations: (1) most of anomaly detectors are threshold based and parametric, that is, configurable by a set of parameters; (2) anomaly detectors differ in operational environment and operational capability in terms of detection coverage and blind spots; (3) an intrusive anomaly may leave traces across multiple system layers, incurring different observable events of interest. Firstly, we present a statistical framework to formally characterize and analyze the basic behaviors of anomaly detectors by examining the properties of their operational environments. The framework then serves as a theoretical basis for developing an adaptive middleware, which is called M-AID, to optimally integrate a number of observation-specific parameterizable anomaly detectors. Specifically, M-AID treats these fine-grained anomaly detectors as a whole and casts their collective behaviors in a framework which is formulated as a Multiagent Partially Observable Markov Decision Process (MPO-MDP). The generic anomaly detection models of M-AID are thus automatically inferred via a reinforcement learning algorithm which dynamically adjusts the behaviors of anomaly detectors in accordance with a reward signal that is defined and quantified by a suit of evaluation metrics. Fundamentally, the distributed and autonomous architecture enables M-AID to be scalable, dependable, and adaptable, and the reward signal allows security administrators to specify cost factors and take into account the operational context for taking rational response. Finally, a host-based prototype of M-AID is developed, along with comprehensive experimental evaluation and comparative studies.
ACM Transactions on Autonomous and Adaptive Systems (TAAS) – Association for Computing Machinery
Published: Nov 1, 2009
Read and print from thousands of top scholarly journals.
Already have an account? Log in
Bookmark this article. You can see your Bookmarks on your DeepDyve Library.
To save an article, log in first, or sign up for a DeepDyve account if you don’t already have one.
Copy and paste the desired citation format or use the link below to download a file formatted for EndNote
Access the full text.
Sign up today, get DeepDyve free for 14 days.
All DeepDyve websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.