Detecting Novel Network Intrusions Using Bayes Estimators

From the first appearance of network attacks, the internet worm, to the most recent one in which the servers of several famous e-business companies were paralyzed for several hours, causing huge financial losses, network-based attacks have been increasing in frequency and severity. As a powerful weapon to protect networks, intrusion detection has been gaining a lot of attention. Traditionally, intrusion detection techniques are classified into two broad categories: misuse detection and anomaly detection. Misuse detection aims to detect well-known attacks as well as slight variations of them, by characterizing the rules that govern these attacks. Due to its nature, misuse detection has low false alarms but it is unable to detect any attacks that lie beyond its knowledge. Anomaly detection is designed to capture any deviations from the established profiles of users and systems normal behavior pattern. Although in principle, anomaly detection has the ability to detect new attacks, in practice this is far from easy. Anomaly detection has the potential to generate too many false alarms, and it is very time consuming and labor expensive to sift true intrusions from the false alarms. As new network attacks emerge, the need for intrusion detection systems to detect novel attacks becomes pressing. As we stated before, this is one of the hardest tasks to accomplish, since no knowledge about the novel attacks is available. However, if we view the problem from another angle, we can find a solution. Attacks do something that is different from normal activities: if we have comprehensive knowledge about normal activities and their normal deviations, then all activities ∗This work has been funded by AFRL Rome Labs under the contract F 30602-00-2-0512. †All the authors are at George Mason University, Center for Secure Information Systems Fairfax, VA 22303