Protocol analysis in intrusion detection using decision tree

Abbes, Tarek; Bouhoula, Adel; Rusinowitch, Michaël

doi:10.1109/itcc.2004.1286488

Cited by 69 publications

(40 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Firewall rules: A firewall security policy is a list of ordered filtering rules that define the actions performed on packets that satisfy specific conditions. Before to develop rules filtering by using packet filter, anything have to be considered beforehand how far demarcation which will be applied, because more and more demarcation applied hence increases the search time and space requirements of the packet filtering process [1] and consequences to make downhill performance progressively [11] . This matter because every incoming network packet and go out the network checked beforehand by rules alternately until matching rule found in firewall [12] .…”

Section: Theoretical Backgroundmentioning

confidence: 99%

See 1 more Smart Citation

Intrusion Preventing System using Intrusion Detection System Decision Tree Data Mining

Syurahbil¹,

Noraziah²,

Zolkipli³

et al. 2009

American J. of Engineering and Applied Sciences

View full text Add to dashboard Cite

Problem statement:To distinguish the activities of the network traffic that the intrusion and normal is very difficult and to need much time consuming. An analyst must review all the data that large and wide to find the sequence of intrusion on the network connection. Therefore, it needs a way that can detect network intrusion to reflect the current network traffics. Approach: In this study, a novel method to find intrusion characteristic for IDS using decision tree machine learning of data mining technique was proposed. Method used to generate of rules is classification by ID3 algorithm of decision tree. Results: These rules can determine of intrusion characteristics then to implement in the firewall policy rules as prevention. Conclusion: Combination of IDS and firewall so-called the IPS, so that besides detecting the existence of intrusion also can execute by doing deny of intrusion as prevention.

show abstract

Section: Theoretical Backgroundmentioning

confidence: 99%

“…From a security standpoint, it is crucial to be able to distinguish normal activity from the activity of someone to attack server or network [3] . Log files are useful for three reasons [11] :…”

Section: Theoretical Backgroundmentioning

confidence: 99%

Intrusion Preventing System using Intrusion Detection System Decision Tree Data Mining

Syurahbil¹,

Noraziah²,

Zolkipli³

et al. 2009

American J. of Engineering and Applied Sciences

View full text Add to dashboard Cite

show abstract

“…Abbess et al [9] proposed a combination of pattern matching and protocol analysis approaches. The first method worked on multi-pattern matching strategy.…”

Section: Related Workmentioning

confidence: 99%

A Data Mining Approach for Detection of Self-Propagating Worms

Marhusin

Lokan

Larkin

et al. 2009

2009 Third International Conference on Network and System Security

View full text Add to dashboard Cite

Abstract-In this paper we demonstrate our signature based detector for self-propagating worms. We use a set of worm and benign traffic traces of several endpoints to build benign and worm profiles. These profiles were arranged into separate nary trees. We also demonstrate our anomaly detector that was used to deal with tied matches between worm and benign trees. We analyzed the performance of each detector and also with their integration. Results show that our signature based detector can detect very high true positive. Meanwhile, the anomaly detector did not achieve high true positive. Both detectors, when used independently, suffer high false positive. However, when both detectors were integrated they maintained a high detection rate of true positive and minimized the false positive.

show abstract

“…A paper by (Abbes, Bouhoula & Rusinowitch, 2004) describes a system using a decision tree in conjunction with protocol analysis. The protocol analysis uses a specification file for the protocol being monitored and performs 'Aho-Corasick' (Aho & Corasick, 1975) string matching on only the appropriate parts of the data stream.…”

Section: Background and Related Workmentioning

confidence: 99%