computers & security 28 (2009) 18–28
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
Anomaly-based network intrusion detection:
Techniques, systems and challenges
P. Garcı´a-Teodoroa,*, J. Dı´az-Verdejoa, G. Macia´-Ferna´ndeza, E. Va´zquezb a
Department of Signal Theory, Telematics and Communications – Computer Science and Telecommunications Faculty, University of Granada, Granada, Spain
Department of Telematic Engineering - Universidad Polite´cnica de Madrid, Madrid, Spain
The Internet and computer networks are exposed to an increasing number of security
Received 9 January 2008
threats. With new types of attacks appearing continually, developing flexible and adaptive
Accepted 13 August 2008
security oriented approaches is a severe challenge. In this context, anomaly-based network intrusion detection techniques are a valuable technology to protect target systems and
networks against malicious activities. However, despite the variety of such methods
described in the literature in recent years, security tools incorporating anomaly detection
functionalities are just starting to appear, and several important problems remain to be
solved. This paper begins with a review of the most well-known anomaly-based intrusion
detection techniques. Then, available platforms, systems under development and research
IDS systems and platforms
projects in the area are presented. Finally, we outline the main challenges to be dealt with
for the wide scale deployment of anomaly-based intrusion detectors, with special emphasis on assessment issues.
ª 2008 Elsevier Ltd. All rights reserved.
Intrusion Detection Systems (IDS) are security tools that, like other measures such as antivirus software, firewalls and
access control schemes, are intended to strengthen the
security of information and communication systems.
Although, as shown in Kabiri and Ghorbani (2005) and Sobh
(2006), several IDS approaches have been proposed in the
specialized literature since the origins of this technology, two highly relevant works in this direction are Denning (1987) and Staniford-Chen et al. (1998).
Noteworthy work has been carried out by CIDF (‘‘Common
Intrusion Detection Framework’’), a working group created by DARPA in 1998 mainly oriented towards coordinating and
defining a common framework in the IDS field. Integrated
within IETF in 2000, and having adopted the new acronym
IDWG (‘‘Intrusion Detection Working Group’’), the group defined a general IDS architecture based on the consideration of four types of functional modules (Fig. 1):
- E blocks (‘‘Event-boxes’’): This kind of block is composed of sensor elements that monitor the target system, thus acquiring information events to be analyzed by other blocks.
- D blocks (‘‘Database-boxes’’): These are elements intended to store information from E blocks for subsequent processing
by A and R boxes.
- A blocks (‘‘Analysis-boxes’’): Processing modules for analyzing events and detecting potential hostile behaviour,
so that some kind of alarm will be generated if necessary.
* Corresponding author. Department of Signal Theory, Telematics and Communications – Computer Science and Telecommunications Faculty, University of Granada, C/ Periodista Daniel Saucedo Aranda, 18071 Granada, Spain. Tel.: þ34 958242305; fax: þ34 958240831. E-mail addresses: email@example.com (P. Garcı´a-Teodoro), firstname.lastname@example.org (J. Dı´az-Verdejo), email@example.com (G. Macia´-Ferna´ndez), enrique@ dit.upm.es (E. Va´zquez).
0167-4048/$ – see front matter ª 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2008.08.003
Fig. 1 – General CIDF architecture for IDS systems.
- R blocks...
Please join StudyMode to read the full document