Hybrid Detection of Application Layer Attacks Using Markov Models for Normality and Attacks
Identifieur interne : 000D80 ( Main/Exploration ); précédent : 000D79; suivant : 000D81Hybrid Detection of Application Layer Attacks Using Markov Models for Normality and Attacks
Auteurs : Rolando Salazar-Hernández [Espagne] ; Jesús E. Díaz-Verdejo [Espagne]Source :
- Lecture Notes in Computer Science [ 0302-9743 ] ; 2010.
Abstract
Abstract: Previous works has shown that Markov modelling can be used to model the payloads of the observed packets from a selected protocol with applications to anomaly-based intrusion detection. The detection is made based on a normality score derived from the model and a tunable threshold, which allows the choice of the operating point in terms of detection and false positive rates. In this work a hybrid system is proposed and evaluated based on this approach. The detection is made by explicit modelling of both the attack and the normal payloads and the joint use of a recognizer and a threshold based detector. First, the recognizer evaluates the probabilities of a payload being normal or attack and a probability of missclassification. The dubious results are passed through the detector, which evaluates the normality score. The system allows the choice of the operating point and improves the performance of the basic system.
Url:
DOI: 10.1007/978-3-642-17650-0_29
Affiliations:
Links toward previous steps (curation, corpus...)
- to stream Istex, to step Corpus: 005C20
- to stream Istex, to step Curation: 005C20
- to stream Istex, to step Checkpoint: 000601
- to stream Main, to step Merge: 000D83
- to stream Main, to step Curation: 000D80
Le document en format XML
<record><TEI wicri:istexFullTextTei="biblStruct"><teiHeader><fileDesc><titleStmt><title xml:lang="en">Hybrid Detection of Application Layer Attacks Using Markov Models for Normality and Attacks</title><author><name sortKey="Salazar Hernandez, Rolando" sort="Salazar Hernandez, Rolando" uniqKey="Salazar Hernandez R" first="Rolando" last="Salazar-Hernández">Rolando Salazar-Hernández</name></author><author><name sortKey="Diaz Verdejo, Jesus E" sort="Diaz Verdejo, Jesus E" uniqKey="Diaz Verdejo J" first="Jesús E." last="Díaz-Verdejo">Jesús E. Díaz-Verdejo</name></author></titleStmt><publicationStmt><idno type="wicri:source">ISTEX</idno><idno type="RBID">ISTEX:822F38610A97D7AE36BBE901C8DD38FF8225B5B1</idno><date when="2010" year="2010">2010</date><idno type="doi">10.1007/978-3-642-17650-0_29</idno><idno type="url">https://api.istex.fr/document/822F38610A97D7AE36BBE901C8DD38FF8225B5B1/fulltext/pdf</idno><idno type="wicri:Area/Istex/Corpus">005C20</idno><idno type="wicri:explorRef" wicri:stream="Istex" wicri:step="Corpus" wicri:corpus="ISTEX">005C20</idno><idno type="wicri:Area/Istex/Curation">005C20</idno><idno type="wicri:Area/Istex/Checkpoint">000601</idno><idno type="wicri:explorRef" wicri:stream="Istex" wicri:step="Checkpoint">000601</idno><idno type="wicri:doubleKey">0302-9743:2010:Salazar Hernandez R:hybrid:detection:of</idno><idno type="wicri:Area/Main/Merge">000D83</idno><idno type="wicri:Area/Main/Curation">000D80</idno><idno type="wicri:Area/Main/Exploration">000D80</idno></publicationStmt><sourceDesc><biblStruct><analytic><title level="a" type="main" xml:lang="en">Hybrid Detection of Application Layer Attacks Using Markov Models for Normality and Attacks</title><author><name sortKey="Salazar Hernandez, Rolando" sort="Salazar Hernandez, Rolando" uniqKey="Salazar Hernandez R" first="Rolando" last="Salazar-Hernández">Rolando Salazar-Hernández</name><affiliation wicri:level="4"><country xml:lang="fr">Espagne</country><wicri:regionArea>CTIC - Dpt. of Signal Theory, Telematics and Communications, University of Granada</wicri:regionArea><placeName><settlement type="city">Grenade (Espagne)</settlement><region nuts="2" type="region">Andalousie</region></placeName><orgName type="university">Université de Grenade</orgName></affiliation><affiliation wicri:level="1"><country wicri:rule="url">Espagne</country></affiliation></author><author><name sortKey="Diaz Verdejo, Jesus E" sort="Diaz Verdejo, Jesus E" uniqKey="Diaz Verdejo J" first="Jesús E." last="Díaz-Verdejo">Jesús E. Díaz-Verdejo</name><affiliation wicri:level="4"><country xml:lang="fr">Espagne</country><wicri:regionArea>CTIC - Dpt. of Signal Theory, Telematics and Communications, University of Granada</wicri:regionArea><placeName><settlement type="city">Grenade (Espagne)</settlement><region nuts="2" type="region">Andalousie</region></placeName><orgName type="university">Université de Grenade</orgName></affiliation><affiliation wicri:level="1"><country wicri:rule="url">Espagne</country></affiliation></author></analytic><monogr></monogr><series><title level="s">Lecture Notes in Computer Science</title><imprint><date>2010</date></imprint><idno type="ISSN">0302-9743</idno><idno type="eISSN">1611-3349</idno><idno type="ISSN">0302-9743</idno></series><idno type="istex">822F38610A97D7AE36BBE901C8DD38FF8225B5B1</idno><idno type="DOI">10.1007/978-3-642-17650-0_29</idno><idno type="ChapterID">29</idno><idno type="ChapterID">Chap29</idno></biblStruct></sourceDesc><seriesStmt><idno type="ISSN">0302-9743</idno></seriesStmt></fileDesc><profileDesc><textClass></textClass><langUsage><language ident="en">en</language></langUsage></profileDesc></teiHeader><front><div type="abstract" xml:lang="en">Abstract: Previous works has shown that Markov modelling can be used to model the payloads of the observed packets from a selected protocol with applications to anomaly-based intrusion detection. The detection is made based on a normality score derived from the model and a tunable threshold, which allows the choice of the operating point in terms of detection and false positive rates. In this work a hybrid system is proposed and evaluated based on this approach. The detection is made by explicit modelling of both the attack and the normal payloads and the joint use of a recognizer and a threshold based detector. First, the recognizer evaluates the probabilities of a payload being normal or attack and a probability of missclassification. The dubious results are passed through the detector, which evaluates the normality score. The system allows the choice of the operating point and improves the performance of the basic system.</div></front></TEI><affiliations><list><country><li>Espagne</li></country><region><li>Andalousie</li></region><settlement><li>Grenade (Espagne)</li></settlement><orgName><li>Université de Grenade</li></orgName></list><tree><country name="Espagne"><region name="Andalousie"><name sortKey="Salazar Hernandez, Rolando" sort="Salazar Hernandez, Rolando" uniqKey="Salazar Hernandez R" first="Rolando" last="Salazar-Hernández">Rolando Salazar-Hernández</name></region><name sortKey="Diaz Verdejo, Jesus E" sort="Diaz Verdejo, Jesus E" uniqKey="Diaz Verdejo J" first="Jesús E." last="Díaz-Verdejo">Jesús E. Díaz-Verdejo</name><name sortKey="Diaz Verdejo, Jesus E" sort="Diaz Verdejo, Jesus E" uniqKey="Diaz Verdejo J" first="Jesús E." last="Díaz-Verdejo">Jesús E. Díaz-Verdejo</name><name sortKey="Salazar Hernandez, Rolando" sort="Salazar Hernandez, Rolando" uniqKey="Salazar Hernandez R" first="Rolando" last="Salazar-Hernández">Rolando Salazar-Hernández</name></country></tree></affiliations></record>Pour manipuler ce document sous Unix (Dilib)
EXPLOR_STEP=$WICRI_ROOT/Ticri/CIDE/explor/TelematiV1/Data/Main/Exploration
HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 000D80 | SxmlIndent | more
Ou
HfdSelect -h $EXPLOR_AREA/Data/Main/Exploration/biblio.hfd -nk 000D80 | SxmlIndent | more
Pour mettre un lien sur cette page dans le réseau Wicri
{{Explor lien
|wiki= Ticri/CIDE
|area= TelematiV1
|flux= Main
|étape= Exploration
|type= RBID
|clé= ISTEX:822F38610A97D7AE36BBE901C8DD38FF8225B5B1
|texte= Hybrid Detection of Application Layer Attacks Using Markov Models for Normality and Attacks
}}
| This area was generated with Dilib version V0.6.31. |  |