Sequence Covering for Efficient Host-Based Intrusion Detection

Marteau, Pierre-François

doi:10.1109/tifs.2018.2868614

Cited by 33 publications

(16 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ye et al 37 used multivariable control technology to establish a norm for normal activities in an information system and then used the norm to detect anomalies and judge intrusion behaviors. Based on the suffix tree data structure, Marteau 38 and others proposed a method to measure the similarity of host intrusion behavior, which can isolate the attack sequence from the normal sequence within the host's intrusion detection range. Serpen et al 39 introduced a system design scheme for intrusion detection for the Linux operating system.…”

Section: Related Workmentioning

confidence: 99%

Analyzing host security using D‐S evidence theory and multisource information fusion

Yao

Zhang

et al. 2020

Int J Intell Syst

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

Analyzing host security using D‐S evidence theory and multisource information fusion

Yao

Zhang

et al. 2020

Int J Intell Syst

View full text Add to dashboard Cite

“…The authors in Refs. [11,12] selected five types of features, including RAM usage, node network connections and usage of bandwidth etc., to perform anomaly detection. The experimental results verified by their method have good performance in node level anomaly detection.…”

Section: Related Workmentioning

confidence: 99%

IMLADS: Intelligent Maintenance and Lightweight Anomaly Detection System for Internet of Things

Qin

Wang

Chen

et al. 2019

Sensors

View full text Add to dashboard Cite

System security monitoring has become more and more difficult with the ever-growing complexity and dynamicity of the Internet of Things (IoT). In this paper, we develop an Intelligent Maintenance and Lightweight Anomaly Detection System (IMLADS) for efficient security management of the IoT. Firstly, unlike the traditional system use static agents, we employ the mobile agent to perform data collection and analysis, which can automatically transfer to other nodes according to the pre-set monitoring task. The mobility is handled by the mobile agent running platform, which is irrelevant with the node or its operation system. Combined with this technology, we can greatly reduce the number of agents running in the system while increasing the system stability and scalability. Secondly, we design different methods for node level and system level security monitoring. For the node level security monitoring, we develop a lightweight data collection and analysis method which only occupy little local computing resources. For the system level security monitoring, we proposed a parameter calculation method based on sketch, whose computational complexity is constant and irrelevant with the system scale. Finally, we design agents to perform suitable response policies for system maintenance and abnormal behavior control based on the anomaly mining results. The experimental results based on the platform constructed show that the proposed method has lower computational complexity and higher detection accuracy. For the node level monitoring, the time complexity is reduced by 50% with high detection accuracy. For the system level monitoring, the time complexity is about 1 s for parameter calculation in a middle scale IoT network.

show abstract

“…Host-based intrusion detection systems are an essential component of cybersecurity [16], [17]; however, our work is confined to the area of network-based detection systems, since our model is based only on network packets before they reach the authoritative DNS server.…”

Section: Related Workmentioning

confidence: 99%

DNS-ADVP: A Machine Learning Anomaly Detection and Visual Platform to Protect Top-Level Domain Name Servers Against DDoS Attacks

et al. 2019

View full text Add to dashboard Cite

DNS DDoS attacks may severely affect the operation of computer networks, prompting the need for methods able to timely detect them, and then to apply mitigation countermeasures. Visual models have been used to detect an ongoing DDoS attack, but often demand continuous attention from IT staff. However, machine learning techniques could complement a visual model with further information and with on-time alerts that could help IT officers give attention only when an attack is in progress at its very early stage. In this paper, we present DNS-ADVP, a DNS Anomaly Detection Visual Platform, which, in an integrated manner, provides a novel visualisation that depicts on-line DNS traffic, and a one-class classifier that deals with traffic anomaly detection. Using the visual mode, an IT officer may interpret the current state of traffic for an authoritative DNS server; the model comes with visual semaphores, controlled by the one-class classifier. Due to the highly dynamic nature of DNS traffic, our classification method continuously updates what counts as normal behaviour; it has been successfully tested on synthetic attacks, with an 83% of the area under the curve (AUC). DNS-ADVP is currently in use to real-time monitoring an actual authoritative DNS server.

show abstract

Sequence Covering for Efficient Host-Based Intrusion Detection

Cited by 33 publications

References 37 publications

Analyzing host security using D‐S evidence theory and multisource information fusion

Analyzing host security using D‐S evidence theory and multisource information fusion

IMLADS: Intelligent Maintenance and Lightweight Anomaly Detection System for Internet of Things

DNS-ADVP: A Machine Learning Anomaly Detection and Visual Platform to Protect Top-Level Domain Name Servers Against DDoS Attacks

Contact Info

Product

Resources

About