Experiences with specification-based intrusion detection

Prem Uppuluri; R. Sekar

Experiences with specification-based intrusion detection

Prem Uppuluri
, R. Sekar

Computer Science

Stony Brook University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

58 Scopus citations

Abstract

Specification-based intrusion detection, where manually specified program behavioral specifications are used as a basis to detect attacks, have been proposed as a promising alternative that combine the strengths of misuse detection (accurate detection of known attacks) and anomaly detection (ability to detect novel attacks). However, the question of whether this promise can be realized in practice has remained open. We answer this question in this paper, based on our experience in building a specification-based intrusion detection system and experimenting with it. Our experiments included the 1999 DARPA/AFRL online evaluation, as well as experiments conducted using 1999 DARPA/Lincoln Labs offline evaluation data. These experiments show that an effective specification-based IDS can be developed with modest efforts. They also show that the specification-based techniques live up to their promise of detecting known as well as unknown attacks, while maintaining a very low rate of false positives.

Original language	English
Title of host publication	Recent Advances in Intrusion Detection - 4th International Symposium, RAID 2001, Proceedings
Editors	Wenke Lee, Ludovic Me, Andreas Wespi
Publisher	Springer Verlag
Pages	172-189
Number of pages	18
ISBN (Print)	3540427023, 9783540427025
State	Published - 2015
Event	4th International Symposium on Recent Advances in Intrusion Detection, RAID 2001 - Davis, United States Duration: Oct 10 2001 → Oct 12 2001

Publication series

Name	Lecture Notes in Computer Science
Volume	2212
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	4th International Symposium on Recent Advances in Intrusion Detection, RAID 2001
Country/Territory	United States
City	Davis
Period	10/10/01 → 10/12/01

Cite this

@inproceedings{027f30c5ac8843f2b0b8b1bcba9f3a45,

title = "Experiences with specification-based intrusion detection",

abstract = "Specification-based intrusion detection, where manually specified program behavioral specifications are used as a basis to detect attacks, have been proposed as a promising alternative that combine the strengths of misuse detection (accurate detection of known attacks) and anomaly detection (ability to detect novel attacks). However, the question of whether this promise can be realized in practice has remained open. We answer this question in this paper, based on our experience in building a specification-based intrusion detection system and experimenting with it. Our experiments included the 1999 DARPA/AFRL online evaluation, as well as experiments conducted using 1999 DARPA/Lincoln Labs offline evaluation data. These experiments show that an effective specification-based IDS can be developed with modest efforts. They also show that the specification-based techniques live up to their promise of detecting known as well as unknown attacks, while maintaining a very low rate of false positives.",

author = "Prem Uppuluri and R. Sekar",

note = "Publisher Copyright: {\textcopyright} Springer-Verlag Berlin Heidelberg 2001.; 4th International Symposium on Recent Advances in Intrusion Detection, RAID 2001 ; Conference date: 10-10-2001 Through 12-10-2001",

year = "2015",

language = "English",

isbn = "3540427023",

series = "Lecture Notes in Computer Science",

publisher = "Springer Verlag",

pages = "172--189",

editor = "Wenke Lee and Ludovic Me and Andreas Wespi",

booktitle = "Recent Advances in Intrusion Detection - 4th International Symposium, RAID 2001, Proceedings",

}

Uppuluri, P & Sekar, R 2015, Experiences with specification-based intrusion detection. in W Lee, L Me & A Wespi (eds), Recent Advances in Intrusion Detection - 4th International Symposium, RAID 2001, Proceedings. Lecture Notes in Computer Science, vol. 2212, Springer Verlag, pp. 172-189, 4th International Symposium on Recent Advances in Intrusion Detection, RAID 2001, Davis, United States, 10/10/01.

Experiences with specification-based intrusion detection. / Uppuluri, Prem; Sekar, R.
Recent Advances in Intrusion Detection - 4th International Symposium, RAID 2001, Proceedings. ed. / Wenke Lee; Ludovic Me; Andreas Wespi. Springer Verlag, 2015. p. 172-189 (Lecture Notes in Computer Science; Vol. 2212).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Experiences with specification-based intrusion detection

AU - Uppuluri, Prem

AU - Sekar, R.

N1 - Publisher Copyright: © Springer-Verlag Berlin Heidelberg 2001.

PY - 2015

Y1 - 2015

N2 - Specification-based intrusion detection, where manually specified program behavioral specifications are used as a basis to detect attacks, have been proposed as a promising alternative that combine the strengths of misuse detection (accurate detection of known attacks) and anomaly detection (ability to detect novel attacks). However, the question of whether this promise can be realized in practice has remained open. We answer this question in this paper, based on our experience in building a specification-based intrusion detection system and experimenting with it. Our experiments included the 1999 DARPA/AFRL online evaluation, as well as experiments conducted using 1999 DARPA/Lincoln Labs offline evaluation data. These experiments show that an effective specification-based IDS can be developed with modest efforts. They also show that the specification-based techniques live up to their promise of detecting known as well as unknown attacks, while maintaining a very low rate of false positives.

AB - Specification-based intrusion detection, where manually specified program behavioral specifications are used as a basis to detect attacks, have been proposed as a promising alternative that combine the strengths of misuse detection (accurate detection of known attacks) and anomaly detection (ability to detect novel attacks). However, the question of whether this promise can be realized in practice has remained open. We answer this question in this paper, based on our experience in building a specification-based intrusion detection system and experimenting with it. Our experiments included the 1999 DARPA/AFRL online evaluation, as well as experiments conducted using 1999 DARPA/Lincoln Labs offline evaluation data. These experiments show that an effective specification-based IDS can be developed with modest efforts. They also show that the specification-based techniques live up to their promise of detecting known as well as unknown attacks, while maintaining a very low rate of false positives.

UR - https://www.scopus.com/pages/publications/84947547225

M3 - Conference contribution

AN - SCOPUS:84947547225

SN - 3540427023

SN - 9783540427025

T3 - Lecture Notes in Computer Science

SP - 172

EP - 189

BT - Recent Advances in Intrusion Detection - 4th International Symposium, RAID 2001, Proceedings

A2 - Lee, Wenke

A2 - Me, Ludovic

A2 - Wespi, Andreas

PB - Springer Verlag

T2 - 4th International Symposium on Recent Advances in Intrusion Detection, RAID 2001

Y2 - 10 October 2001 through 12 October 2001

ER -

Experiences with specification-based intrusion detection

Abstract

Publication series

Conference

Other files and links

Fingerprint

Cite this