A Survey of Intrusion Detection Systems Leveraging Host Data

Bridges, Robert A.; Glass-Vanderlan, Tarrah R.; Iannacone, Michael D.; Vincent, Maria S.; Chen, Qian

doi:10.1145/3344382

Cited by 74 publications

(42 citation statements)

References 85 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Any detection system has three fundamental components: a data collection sensor, pre-processing data functions, and a decision engine [18]. A sensor can either retrieve or be given data in the form of host data and/or network traffic.…”

Section: Detection Methodsmentioning

confidence: 99%

Towards a Multi-Layered Phishing Detection

Rendall

Nisioti

Mylonas

2020

Sensors

View full text Add to dashboard Cite

Phishing is one of the most common threats that users face while browsing the web. In the current threat landscape, a targeted phishing attack (i.e., spear phishing) often constitutes the first action of a threat actor during an intrusion campaign. To tackle this threat, many data-driven approaches have been proposed, which mostly rely on the use of supervised machine learning under a single-layer approach. However, such approaches are resource-demanding and, thus, their deployment in production environments is infeasible. Moreover, most previous works utilise a feature set that can be easily tampered with by adversaries. In this paper, we investigate the use of a multi-layered detection framework in which a potential phishing domain is classified multiple times by models using different feature sets. In our work, an additional classification takes place only when the initial one scores below a predefined confidence level, which is set by the system owner. We demonstrate our approach by implementing a two-layered detection system, which uses supervised machine learning to identify phishing attacks. We evaluate our system with a dataset consisting of active phishing attacks and find that its performance is comparable to the state of the art.

show abstract

Section: Detection Methodsmentioning

confidence: 99%

Towards a Multi-Layered Phishing Detection

Rendall

Nisioti

Mylonas

2020

Sensors

View full text Add to dashboard Cite

show abstract

“…Main objectives Aburomman et al [15] IDS based on ensemble and hybrid classifiers Zhou et al [16] Collaborative IDS against coordinated attacks Arshad et al [17] Computational overhead, energy consumption and privacy implications of IDS for IoT Berman et al [18] Deep learning methods applied for cybersecurity Bridges et al [19] IDS leveraging host data Buczak et al [20] IDS based on data mining and machine learning approaches Chandola et al [21] Anomaly detection techniques in general Mitchell et al [22] IDS for cyber-physical systems Tong et al [9] IDS for advanced metering infrastructure Grammatikis et al [23] IDS for SG ecosystems and subsystems Ring et al [24] Network-based IDS datasets…”

Section: Referencesmentioning

confidence: 99%

“…Berman et al [18] give a comprehensive review of deep learning methods applied for cybersecurity. A survey of IDS only considering host-based approaches is presented by Bridges et al [19]. Buczak et al [20] present a summary of IDS leveraging data mining and machine learning approaches and propose that the methods for fast incremental learning should be further exploited.…”

Section: Introductionmentioning

confidence: 99%

A Review of Rule Learning-Based Intrusion Detection Systems and Their Prospects in Smart Grids

2021

View full text Add to dashboard Cite

Intrusion detection systems (IDS) are commonly categorized into misuse based, anomaly based and specification based IDS. Both misuse based IDS and anomaly based IDS are extensively researched in academia and industry. However, as critical infrastructures including smart grids (SG) may often face sophisticated unknown attacks in the near future, misuse based attack detection techniques will mostly miss their targets. Despite the fact that anomaly based IDS can detect novel attacks, they are not often deployed in industry, mainly owing to high false positive rate and lack of interpretability of trained models. With misuse based IDS' inability to detect unknown attacks and requirement for frequently manually crafting and updating signatures and with anomaly based IDS' bad reputation for high false alarm rate, specification based IDS can be regarded as the most suitable detection engine for cyber-physical systems (CPS) including SG. We argue that specification based IDS especially using rule learning could prove to be the most promising IDS for SG. Intrusion detection rules are learned through rule learning techniques and periodically automatically updated to accommodate dynamic system behaviors in SG. Fortunately, rule learning based IDS can not only detect previously unknown attacks but also achieve higher interpretability, due to symbolic representation of learned rules. It can thus be considered more "trustworthy" from human perspective and further assist human in the loop security operation. The present work provides a systematic and deep analysis of rule learning techniques and their suitability for IDS in SG. Besides, it concludes the most important criteria for learning intrusion detection rules and assessing their quality. This work serves not only as a guide to a number of important rule learning techniques but also as the first survey on their applications in IDS, which indicates their potential opportunities in SG security.

show abstract

“…In recent years, ad hoc vehicular networks have become another area of growing interest in network IDS [14], cloud service frameworks have been proposed to enable intrusion detection mechanisms [15], as well as attack detection fremeworks for the vehicle communication bus [16]. Host IDS detect attacks based on system logs, audit data, Windows Registry, file systems, system calls, and program analysis [17]. Two of the most important areas of interest in host IDS are embedded systems [18] and the Android operating system [19], [20].…”

Section: Related Workmentioning

confidence: 99%