Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes. Kai Hwang, Fellow, IEEE, Min Cai, Member, IEEE, Ying Chen, Student Member, IEEE, and Min Qin IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 4, NO. 1, JANUARY-MARCH 2007
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes
Kai Hwang, Fellow, IEEE, Min Cai, Member, IEEE, Ying Chen, Student Member, IEEE, and Min Qin
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 4, NO. 1, JANUARY-MARCH 2007
Presented by Yong Sun Kim
ADS(anomaly detection system)
A hybrid intrusion detection system built with a SNORT and an
anomaly detection subsystem (ADS) through automated signature
generation from Internet episodes.
once the episode rule cannot find any match with normal connection rules in database.
locally captured trace file
and DARPA 1999 IDS evaluation data set(MIT/LL).
less than 3 percent false alarm..”
”Our HIDS results in a detection rate of 60 percent…
false alarms must be maintained below 3 percent.”
”The HIDS achieved a low 47 percent detection rate at 1
percent false alarms.However,the detection rate can be
raised to 60 percent if the false alarms can be tolerated
up to 30 percent”
Fig. 13. ROC curves showing the variation of the average intrusiondetection rate of three detection systems as the false alarm rateincreases.
(ip proto = icmp), (icmp type = echo req),
(1,480 <= src bytes < 1,490),(dst count > 10)
signature of the Pod attack. Using the attribute mappings in Table 4, we translate the signature into a SNORT rule as follows:
alert icmp$EXTERNAL NET any <> $HOME NET any
(msg :”possible pod attack”; itype : 8;
dsize : 1,480 <> 1,490; threshold : type both,track
by_dst,count 10 seconds 1; sid : 900,001; rev : 0;).