State transition analysis: a rule-based intrusion detection approach

Ilgun, K.; Kemmerer, Richard A.; Porras, Phillip

doi:10.1109/32.372146

Cited by 565 publications

(246 citation statements)

References 11 publications

Supporting

Mentioning

226

Contrasting

Unclassified

Order By: Relevance

“…This graph has been constructed to express the dependencies and the different paths of combining beliefs for Rule 6. The graph reflects that the occurrence of E 2 in the rule depends on 7 Such events may typically appear in rules of the form ¬Happens(e1,t1,R(a,b)) ⇒ Happens(e2,t2,R(t1,t1+c)). The event ¬Happens(e1,t1,R(a,b)) in this rule has a time range with fully determined boundaries (a and b) prior to runtime and will remain as a negated event in the negated form of the rule, i.e., ¬Happens(e1,t1,R(a,b)) ∧ ¬Happens(e2,t2,R(t1,t1+c))…”

Section: Fig 146 D-s Belief Graph For Rulementioning

confidence: 99%

“…Intrusions are, thus, detected as deviations from the expected normal behaviour of the system. Misuse-based approaches [7,11,27], on the other hand, are based on models of known attacks.…”

Section: Related Workmentioning

confidence: 99%

“…These edges are labelled by the basic probability assignment corresponding to the event E i that they point to (i.e., the basic probability assignment m i ). Negated events, on the other hand, are linked with the Start node only if they have a time range defined by constant values at the time of application of the algorithm (i.e., prior to runtime) and, therefore, it will be possible to establish their absence or not prior the seeing any other event at runtime (see conditions in lines 14 and 17) 7 . The edge linking the Start node with a negated event E i is labelled by the basic probability function m NAF i|<x> .…”

mentioning

confidence: 99%

See 2 more Smart Citations

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

Tsigkritis

Spanoudakis

Kloukinas

et al. 2009

Security and Dependability for Ambient Intelligence

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version. Abstract The SERENITY monitoring framework offers mechanisms for diagnosing the causes of violations of security and dependability (S&D) properties and detecting potential violations of such properties, called "threats". Diagnostic information and threat detection are often necessary for deciding what an appropriate reaction to a violation is and taking pre-emptive actions against predicted violations, respectively. In this chapter, we describe the mechanisms of the SERENITY monitoring framework which generate diagnostic information for violations of S&D properties and detecting threats. Permanent

show abstract

Section: Fig 146 D-s Belief Graph For Rulementioning

confidence: 99%

“…Intrusions are, thus, detected as deviations from the expected normal behaviour of the system. Misuse-based approaches [7,11,27], on the other hand, are based on models of known attacks.…”

Section: Related Workmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

Tsigkritis

Spanoudakis

Kloukinas

et al. 2009

Security and Dependability for Ambient Intelligence

View full text Add to dashboard Cite

show abstract

“…Misuse detection models the patterns of known attacks or vulnerabilities, and identifies actions that conform to such patterns as attacks. Existing approaches include rule-based methods (e.g., ASAX [26], P-BEST [25]), state transition based methods [5], [14], and data mining approaches [22], [23]. Most of these techniques cannot be directly applied to sensor networks due to the resource constraints on sensor nodes.…”

Section: Intrusion Detectionmentioning

confidence: 99%

LAD: Localization anomaly detection for wireless sensor networks

Fang

Ningi

2006

Journal of Parallel and Distributed Computing

134

130

View full text Add to dashboard Cite

Abstract-In wireless sensor networks (WSNs), sensors' locations play a critical role in many applications. Having a GPS receiver on every sensor node is costly. In the past, a number of location discovery (localization) schemes have been proposed. Most of these schemes share a common feature: they use some special nodes, called beacon nodes, which are assumed to know their own locations (e.g., through GPS receivers or manual configuration). Other sensors discover their locations based on the reference information provided by these beacon nodes.Most of the beacon-based localization schemes assume a benign environment, where all beacon nodes are supposed to provide correct reference information. However, when the sensor networks are deployed in a hostile environment, where beacon nodes can be compromised, such an assumption does not hold anymore.In this paper, we propose a general scheme to detect localization anomalies that are caused by adversaries. Our scheme is independent from the localization schemes. We formulate the problem as an anomaly intrusion detection problem, and we propose a number of ways to detect localization anomalies. We have conducted simulations to evaluate the performance of our scheme, including the false positive rates, the detection rates, and the resilience to node compromises.

show abstract

“…Since then, various IDS have been developed and a number of intrusion detection systems have directly employ this model e.g. [5] [6].…”

Section: Intrusion Detection System For Manetmentioning

confidence: 99%

Agent-Based Immunological Intrusion Detection System for Mobile Ad-Hoc Networks

Byrski

Carvalho

2008

Computational Science – ICCS 2008

View full text Add to dashboard Cite

Abstract. Mobile Ad-hoc Networks are known to bring very special challenges to intrusion detection systems, mostly because of their dynamic nature and communication characteristics. In the last few years, several research efforts have proposed the use of immune-inspired systems for intrusion detection in MANETs. In most cases, however, only low-level pattern construction and matching have been considered, often customized to specific routing strategies or protocols. In this paper we present a more general, agent-based approach to the problem. Our approach proposes the use of artificial immune systems for anomaly detection in a way that is independent of specific routing protocols and services. After introducing the problem and the proposed system, we describe our proof-of-concept implementation and our preliminary experimental results over NS-2 simulations.

show abstract

State transition analysis: a rule-based intrusion detection approach

Cited by 565 publications

References 11 publications

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

LAD: Localization anomaly detection for wireless sensor networks

Agent-Based Immunological Intrusion Detection System for Mobile Ad-Hoc Networks

Contact Info

Product

Resources

About