How Much Training Data is Enough? A Case Study for HTTP Anomaly-Based Intrusion Detection

Estepa, Rafael; Díaz-Verdejo, Jesús E.; Estepa, Antonio; Madinabeitia, Germán

doi:10.1109/access.2020.2977591

Cited by 9 publications

(3 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A prerequisite is to collect enough volume of events from the operational environment [37]. The size of the collected dataset will have implications in the time spent in the tuning process since we will need to manually review some of the alerts generated.…”

Section: Methods For Reducing the False Alarm Ratementioning

confidence: 99%

See 1 more Smart Citation

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

et al. 2022

Self Cite

View full text Add to dashboard Cite

Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.

show abstract

Section: Methods For Reducing the False Alarm Ratementioning

confidence: 99%

“…In a way, this can be viewed as a type of voting scheme. In a previous work [37], we combined ModSecurity [38] and Snort [39] to sanitize HTTP traces by combining the output of both detectors (∪ operation). Sanitization, however, is meant to maximize TP but not to minimize FP.…”

Section: Related Workmentioning

confidence: 99%

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

et al. 2022

Self Cite

View full text Add to dashboard Cite

show abstract

“…Using the sensors [2] and different IoT devices. Moreover, the security in big data is very challenging as it is concerned with attacks [3] that can originate either from online or offline spheres, hence, we can collect data and store the data using different protocols such as hypertext transfer protocol (HTTP) [4], message queue telemetry transport protocol (MQTT) [5], and constrained application protocol (CoAP) [6]. The data is stored so it can be utilized for the improvement of the device.…”

Section: Introductionmentioning

confidence: 99%

Reputation-based Security model for detecting biased attacks in BigData

Desai

Annappaiah

2023

IJEECS

View full text Add to dashboard Cite

As internet of things (IoT) devices are increasing since the emergence of these devices in 2010, the data stored by these devices should have a proper security measure so that it can be stored without getting in hands of an attacker. The data stored has to be analyzed whether the data is safe or malicious, as the malicious data can corrupt the whole information. The security model in BigData has many challenges such as vulnerability to fake data generation, troubles with cryptographic protection, and absent security audits. As cyberattacks are increasing the main objective of each organization is to secure the data efficiently. This paper presents a model of reputation security for the detection of biased attacks on BigData. The proposed model provides various evaluation models to identify biased attack in malicious IoT devices and provide a secure communication metric for BigData. The results show better rates in terms of attack detection rate, attack detection failure rata, system throughput and number of dead nodes when the attack rate is increased when compared with the existing reputation-based security (ERS) model. Moreover, this model reputation-based biased attack detection (RBAD) increases the security of the IoT devices in the BigData and reduces the biased attack coming from various malicious nodes.

show abstract

A critical review of the techniques used for anomaly detection of HTTP-based attacks: taxonomy, limitations and open challenges

Díaz-Verdejo

Estepa

et al. 2023

Computers & Security

View full text Add to dashboard Cite

How Much Training Data is Enough? A Case Study for HTTP Anomaly-Based Intrusion Detection

Cited by 9 publications

References 34 publications

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

Reputation-based Security model for detecting biased attacks in BigData

A critical review of the techniques used for anomaly detection of HTTP-based attacks: taxonomy, limitations and open challenges

Contact Info

Product

Resources

About