Abstract
This survey focuses on intrusion detection systems (IDS) that leverage host-based data sources for detecting attacks on enterprise network. The host-based IDS (HIDS) literature is organized by the input data source, presenting targeted sub-surveys of HIDS research leveraging system logs, audit data, Windows Registry, file systems, and program analysis. While system calls are generally included in audit data, several publicly available system call datasets have spawned a flurry of IDS research on this topic, which merits a separate section. To accommodate current researchers, a section giving descriptions of publicly available datasets is included, outlining their characteristics and shortcomings when used for IDS evaluation. Related surveys are organized and described. All sections are accompanied by tables concisely organizing the literature and datasets discussed. Finally, challenges, trends, and broader observations are throughout the survey and in the conclusion along with future directions of IDS research. Overall, this survey was designed to allow easy access to the diverse types of data available on a host for sensing intrusion, the progressions of research using each, and the accessible datasets for prototyping in the area.
- Cristina Abad, Jed Taylor, Cigdem Sengul, William Yurcik, Yuanyuan Zhou, and Ken Rowe. 2003. Log correlation for intrusion detection: A proof of concept. In Proceedings of the 19th Annual Computer Security Applications Conference. IEEE, 255--264.Google ScholarDigital Library
- Usman Ahmed and Asif Masood. 2009. Host-based intrusion detection using RBF neural networks. In Proceedings of the International Conference on Emerging Technologies (ICET’09). IEEE, 48--51.Google ScholarCross Ref
- Mamoun Alazab, Sitalakshmi Venkatraman, Paul Watters, Moutaz Alazab, and Ammar Alazab. 2012. Cybercrime: The case of obfuscated malware. In Global Security, Safety and Sustainability, 8 e-Democracy. Springer, Berlin, 204--211.Google Scholar
- M. Anandapriya and B. Lakshmanan. 2015. Anomaly-based host intrusion detection system using semantic-based system call patterns. In Proceedings of the 9th International Conference on Intelligent Systems and Control (ISCO’15). IEEE, 1--4.Google Scholar
- James P. Anderson. 1972. Computer Security Technology Planning Study. Volume 2. Technical Report. James P. Anderson 8 Co., Fort Washington, PA.Google Scholar
- James P. Anderson et al. 1980. Computer Security Threat Monitoring and Surveillance. Technical Report. James P. Anderson 8 Co., Fort Washington, PA.Google Scholar
- Frank Apap, Andrew Honig, Shlomo Hershkop, Eleazar Eskin, and Sal Stolfo. 2002. Detecting malicious software by monitoring anomalous windows registry accesses. In Recent Advances in Intrusion Detection. Springer, Berlin, 36--53.Google Scholar
- Stefan Axelsson. 2000. Intrusion Detection Systems: A Survey and Taxonomy. Technical Report.Google Scholar
- Sandeep Bhatkar, Abhishek Chaturvedi, and R. Sekar. 2006. Dataflow anomaly detection. In Proceedings of the Security and Privacy Symposium. IEEE.Google Scholar
- Martin Botha and Rossouw Von Solms. 2003. Utilising fuzzy logic and trend analysis for effective intrusion detection. Comput. Secur. 22, 5 (2003), 423--434.Google ScholarDigital Library
- Yacine Bouzida and Sylvain Gombault. 2003. EigenProfiles for intrusion detection, profils propres pour la detection d’intrusion. In Département RSM GET/ENST. Actes du Symposium SSTIC, Bretagne, France.Google Scholar
- Robert A. Bridges, Michael D. Iannacone, John R. Goodall, and Justin M. Beaver. 2018. How do information security workers use host data? A summary of interviews with security analysts. Retrieved from http://arxiv.org/abs/1812.02867.Google Scholar
- R. A. Bridges, J. D. Jamieson, and J. W. Reed. 2017. Setting the threshold for high throughput detectors: A mathematical approach for ensembles of dynamic, heterogeneous, probabilistic anomaly detectors. In Proceedings of the IEEE International Conference on Big Data (Big Data’17). IEEE, 1071--1078. DOI:https://doi.org/10.1109/BigData.2017.8258031Google Scholar
- S. Terry Brugger and Jedidiah Chow. 2007. An assessment of the DARPA IDS evaluation dataset using snort. UCDavis Dept. Comput. Sci. 1, 2007 (2007), 22.Google Scholar
- Guy Bruneau. 2001. The history and evolution of intrusion detection. SANS Inst. 1, 2f (2001).Google Scholar
- Anna L. Buczak and Erhan Guven. 2016. A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surveys Tutor. 18, 2 (2016), 1153--1176.Google ScholarDigital Library
- Harlan Carvey. 2005. The windows registry as a forensic resource. Dig. Investig. 2, 3 (2005), 201--205.Google ScholarDigital Library
- Q. Chen and R. A. Bridges. 2017. Automated behavioral analysis of malware: A case study of wannacry ransomware. In Proceedings of the 16th IEEE International Conference on Machine Learning and Applications (ICMLA’17). IEEE, 454--460. DOI:https://doi.org/10.1109/ICMLA.2017.0-119Google Scholar
- Zouhair Chiba, Noureddine Abghour, Khalid Moussaid, Amina El Omri, and Mohamed Rida. 2016. A survey of intrusion detection systems for cloud computing environment. In Proceedings of the International Conference on Engineering 8 MIS (ICEMIS’16). IEEE, 1--13.Google ScholarCross Ref
- W. Choi, H. J. Jo, S. Woo, J. Y. Chun, J. Park, and D. H. Lee. 2018. Identifying ECUs through inimitable characteristics of signals in controller area networks. IEEE Trans. Vehic. Technol. 99 (2018), 1--1. DOI:https://doi.org/10.1109/TVT.2018.2810232Google Scholar
- Shane S. Clark, Benjamin Ransford, Amir Rahmati, Shane Guineau, Jacob Sorber, Wenyuan Xu, Kevin Fu, A. Rahmati, M. Salajegheh, D. Holcomb et al. 2013. WattsUpDoc: Power side channels to nonintrusively discover untargeted malware on embedded medical devices. In Proceedings of USENIX Workshop on Health Information Technologies. USENIX.Google Scholar
- William W. Cohen. 1995. Fast effective rule induction. In Proceedings of the 12th International Conference on Machine Learning. Elsevier, 115--123.Google ScholarCross Ref
- Gideon Creech and Jiankun Hu. 2013. Generation of a new IDS test dataset: Time to retire the KDD collection. In Proceedings of the Wireless Communications and Networking Conference (WCNC’13). IEEE, 4487--4492.Google ScholarCross Ref
- Gideon Creech and Jiankun Hu. 2014. A semantic approach to host-based intrusion detection systems using contiguousand discontiguous system call patterns. IEEE Trans. Comput. 63, 4 (2014), 807--819.Google ScholarDigital Library
- Joel A. Dawson, J. Todd McDonald, Jordan Shropshire, Todd R. Andel, Patrick Luckett, and Lee Hively. 2018. Rootkit detection through phase-space analysis of power voltage measurements. In Proceedings of the 12th IEEE International Conference on Malicious and Unwanted Software (MALCON’17). IEEE.Google Scholar
- Ronald F. DeMara and Adam J. Rocke. 2004. Mitigation of network tampering using dynamic dispatch of mobile agents. Comput. Secur. 23, 1 (2004), 31--42.Google ScholarDigital Library
- Dorothy Denning and Peter G. Neumann. 1985. Requirements and Model for IDES-a Real-time Intrusion-detection Expert System. SRI International, Menlo Park, CA.Google Scholar
- Brendan Dolan-Gavitt. 2008. Forensic analysis of the windows registry in memory. Dig. Investig. 5 (2008), S26--S32.Google ScholarDigital Library
- George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai, and Peter M. Chen. 2002. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. ACM SIGOPS Operat. Syst. Rev. 36 (2002), 211--224.Google ScholarDigital Library
- Mohammed Taha Elgraini, Nasser Assem, and Tajjeeddine Rachidi. 2012. Host intrusion detection for long stealthy system call sequences. In Proceedings of the Colloquium on Information Science and Technology (CIST’12). IEEE, 96--100.Google ScholarCross Ref
- Eleazar Eskin, Andrew Arnold, Michael Prerau, Leonid Portnoy, and Sal Stolfo. 2002. A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. Appl. Data Min. Comput. Secur. 6 (2002), 77--102.Google Scholar
- Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, and Weibo Gong. 2003. Anomaly detection using call stack information. In Proceedings of the Symposium on Security and Privacy. IEEE, 62--75.Google ScholarCross Ref
- Erik M. Ferragut, Jason Laska, and Robert A. Bridges. 2012. A new, principled approach to anomaly detection. In Proceedings of the 11th International Conference on Machine Learning and Applications (ICMLA’12), Vol. 2. IEEE, 210--215.Google Scholar
- Stephanie Forrest, Steven Hofmeyr, and Anil Somayaji. 2008. The evolution of system-call monitoring. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’08). IEEE, 418--430.Google ScholarDigital Library
- Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. 1996. A sense of self for unix processes. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 120--128.Google ScholarDigital Library
- Nir Friedman and Yoram Singer. 1999. Efficient Bayesian parameter estimation in large discrete domains. In Advances in Neural Information Processing Systems. MIT Press, Cambridge, MA, 417--423.Google Scholar
- Debin Gao, Michael K. Reiter, and Dawn Song. 2006. Behavioral distance measurement using hidden Markov models. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID’06). Springer, Berlin, 19--40.Google ScholarDigital Library
- Sebastian Garcia, Martin Grill, Jan Stiborek, and Alejandro Zunino. 2014. An empirical comparison of botnet detection methods. Comput. Secur. 45 (2014), 100--123.Google ScholarDigital Library
- Anup K. Ghosh and Aaron Schwartzbard. 1999. A study in using neural networks for anomaly and misuse detection. In Proceedings of the USENIX Security Symposium, Vol. 99. USENIX, 12.Google Scholar
- Anup K. Ghosh, Aaron Schwartzbard, and Michael Schatz. 1999. Learning program behavior profiles for intrusion detection. In Proceedings of the Workshop on Intrusion Detection and Network Monitoring, Vol. 51462. USENIX, 1--13.Google Scholar
- Jonathon T. Giffin, Somesh Jha, and Barton P. Miller. 2006. Automated discovery of mimicry attacks. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID’06), Vol. 4219. Springer, Amsterdam, The Netherlands, 41--60.Google Scholar
- Carlos R. Aguayo González and Jeffrey H. Reed. 2011. Power fingerprinting in SDR integrity assessment for security and regulatory compliance. Analog Integr. Circ. Signal Process. 69, 2--3 (2011), 307--327.Google ScholarDigital Library
- John L. Griffin, Adam Pennington, John S. Bucy, Deepa Choundappan, Nithya Muralidharan, and Gregory R. Ganger. 2003. On the Feasibility of Intrusion Detection Inside Workstation Disks. Technical Report. School of Computer Science, Carnegie-Mellon University, Pittsburgh, PA.Google Scholar
- Donghai Guan, Kejun Wang, Xiufen Ye, and Weixing Feng. 2005. A collaborative intrusion detection system using log server and neural networks. In Proceedings of the IEEE International Conference on Mechatronics and Automation, Vol. 2. IEEE, 874--877.Google Scholar
- Sanchika Gupta and Padam Kumar. 2015. An immediate system call sequence-based approach for detecting malicious program executions in cloud environment. Wireless Personal Commun. 81, 1 (2015), 405--425.Google ScholarDigital Library
- Sanchika Gupta, Padam Kumar, Anjali Sardana, and Ajith Abraham. 2012. A secure and lightweight approach for critical data security in cloud. In Proceedings of the 4th International Conference on Computational Aspects of Social Networks (CASoN’12). IEEE, 315--320.Google ScholarCross Ref
- Sanchika Gupta, Anjali Sardana, and Padam Kumar. 2012. A light weight centralized file monitoring approach for securing files in cloud environment. In Proceedings of the International Conference on Internet Technology and Secured Transactions. IEEE, 382--387.Google Scholar
- Aric Hagberg, Alex Kent, Nathan Lemons, and Joshua Neil. 2014. Credential hopping in authentication graphs. In Proceedings of the International Conference on Signal-Image Technology Internet-Based Systems (SITIS’14). IEEE Computer Society.Google Scholar
- Waqas Haider, Gideon Creech, Yi Xie, and Jiankun Hu. 2016. Windows-based data sets for evaluation of robustness of host-based intrusion detection systems (IDS) to zero-day and stealth attacks. Future Internet 8, 3 (2016), 29.Google ScholarCross Ref
- Waqas Haider, Jiankun Hu, and Miao Xie. 2015. Towards reliable data feature retrieval and decision engine in host-based anomaly detection systems. In Proceedings of the IEEE 10th Conference on Industrial Electronics and Applications (ICIEA’15). IEEE, 513--517.Google ScholarCross Ref
- Waqas Haider, Jiankun Hu, Xinghuo Yu, and Yi Xie. 2015. Integer data zero-watermark assisted system calls abstraction and normalization for host-based anomaly detection systems. In Proceedings of the IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud’15). IEEE, 349--355.Google ScholarDigital Library
- Sang-Jun Han and Sung-Bae Cho. 2005. Evolutionary neural networks for anomaly detection based on the behavior of a program. IEEE Trans. Syst. Man Cybernet. Part B (Cybernet.) 36, 3 (2005), 559--570.Google ScholarDigital Library
- Christopher R. Harshaw, Robert A. Bridges, Michael D. Iannacone, Joel W. Reed, and John R. Goodall. 2016. Graphprints: Towards a graph analytic method for network anomaly detection. In Proceedings of the 11th Annual Cyber and Information Security Research Conference. ACM, New York, NY, 1--15.Google Scholar
- Katherine A. Heller, Krysta M. Svore, Angelos D. Keromytis, and Salvatore J. Stolfo. 2003. One class support vector machines for detecting anomalous windows registry accesses. In Proceedings of the Workshop on Data Mining for Computer Security. 9.Google Scholar
- Paul Helman and Jessie Bhangoo. 1997. A statistically based system for prioritizing information exploration under uncertainty. IEEE Trans. Syst. Man. Cybernet.-Part A: Syst. Hum. 27, 4 (1997), 449--466.Google ScholarDigital Library
- Xuan Dau Hoang, Jiankun Hu, and Peter Bertok. 2003. A multi-layer model for anomaly intrusion detection using program sequences of system calls. In Proceedings of the 11th IEEE International Conference. Citeseer, IEEE.Google Scholar
- Xuan Dau Hoang, Jiankun Hu, and Peter Bertok. 2009. A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference. J. Netw. Comput. Appl. 32, 6 (2009), 1219--1228.Google ScholarDigital Library
- Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. 1998. Intrusion detection using sequences of system calls. J. Comput. Secur. 6, 3 (1998), 151--180.Google ScholarDigital Library
- Greg Hoglund and James Butler. 2006. Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Indianapolis, IN.Google ScholarDigital Library
- Jiankun Hu, Xinghuo Yu, Dong Qiu, and Hsiao-Hwa Chen. 2009. A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection. IEEE Netw. 23, 1 (2009), 42--47.Google ScholarDigital Library
- Guang-Bin Huang, Qin-Yu Zhu, and Chee-Kheong Siew. 2004. Extreme learning machine: A new learning scheme of feedforward neural networks. In Proceedings of the IEEE International Joint Conference on Neural Networks, Vol. 2. IEEE, 985--990.Google Scholar
- Raid Khalid Hussein, Ahmed Alenezi, Gary B. Wills, and Robert J. Walters. 2016. A framework to secure the virtual machine image in cloud computing. In Proceedings of the International Conference on Smart Cloud (SmartCloud’16). IEEE, 35--40.Google Scholar
- Nwokedi Idika and Aditya P. Mathur. 2007. A survey of malware detection techniques. Purdue Univ. 48 (2007).Google Scholar
- Koral Ilgun. 1993. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, 16--28.Google ScholarCross Ref
- Brian Jewell and Justin Beaver. 2011. Host-based data exfiltration detection via system call sequences. In Proceedings of the 6th International Conference on Information Warfare and Secuirty (ICIW’11). Academic Conferences Limited, Academic Conferences Limited, England, 134.Google Scholar
- S. Jha, L. Kruger, T. Kurtx, Y. Lee, and A. Smith. 2004. A filtering approach to anomaly and masquerade detection. Technical report, Department of Computer Science, University of Wisconsin, Madison.Google Scholar
- Jarilyn M. Hernández Jiménez, Jeffrey A. Nichols, Katerina Goseva-Popstojanova, Stacy Prowell, and Robert A. Bridges. 2017. Malware Detection on General-Purpose Computers Using Power Consumption Monitoring: A Proof of Concept and Case Study. arXiv preprint arXiv:1705.01977.Google Scholar
- Hai Jin, Guofu Xiang, Deqing Zou, Song Wu, Feng Zhao, Min Li, and Weide Zheng. 2013. A VMM-based intrusion prevention system in cloud computing environment. J. Supercomput. 66, 3 (2013), 1133--1151.Google ScholarDigital Library
- Chaivat Jirapummin, Naruemon Wattanapongsakorn, and Prasert Kanthamanon. 2002. Hybrid neural networks for intrusion detection system. Proc. ITC-CSCC 7 (2002), 928--931.Google Scholar
- Peyman Kabiri and Ali A. Ghorbani. 2005. Research on intrusion detection and response: A survey. IJ Netw. Secur. 1, 2 (2005), 84--102.Google Scholar
- Hilmi Güneş Kayacik, Malcolm Heywood, and Nur Zincir-Heywood. 2006. On evolving buffer overflow attacks using genetic programming. In Proceedings of the 8th Annual Conference on Genetic and Evolutionary Computation. ACM, New York, NY, 1667--1674.Google ScholarDigital Library
- H. Gunes Kayacik and A. Nur Zincir-Heywood. 2007. On the contribution of preamble to information hiding in mimicry attacks. In Proceedings of the 21st International Advanced Information Networking and Applications Workshops (AINAW’07), Vol. 1. IEEE, 632--638.Google Scholar
- Hilmi Günes Kayacik and A. Nur Zincir-Heywood. 2008. Mimicry attacks demystified: What can attackers do to evade detection? In Proceedings of the 6th Annual Conference on Privacy, Security and Trust (PST’08). IEEE, 213--223.Google ScholarDigital Library
- H. Gunes Kayacik, A. Nur Zincir-Heywood, and Malcolm I. Heywood. 2003. On the capability of an SOM-based intrusion detection system. In Proceedings of the International Joint Conference on Neural Networks, Vol. 3. IEEE, 1808--1813.Google Scholar
- Richard A. Kemmerer and Giovanni Vigna. 2002. Intrusion detection: A brief history and overview. Computer 35, 4 (2002), 27--30.Google ScholarDigital Library
- Alexander D. Kent. 2015. Comprehensive, Multi-Source Cyber-Security Events. Los Alamos National Laboratory. DOI:https://doi.org/10.17021/1179829Google Scholar
- Alexander D. Kent. 2015. Cybersecurity data sources for dynamic network research. In Dynamic Networks in Cybersecurity. Imperial College Press.Google Scholar
- Minhaj Ahmad Khan. 2016. A survey of security issues for cloud computing. J. Netw. Comput. Appl. 71 (2016), 11--29.Google ScholarDigital Library
- Muhammad Salman Khan, Sana Siddiqui, and Ken Ferens. 2017. Cognitive modeling of polymorphic malware using fractal-based semantic characterization. In Proceedings of the IEEE International Symposium on Technologies for Homeland Security (HST’17). IEEE, 1--7.Google ScholarCross Ref
- Muhammad Salman Khan, Sana Siddiqui, Robert D. McLeod, Ken Ferens, and Witold Kinsner. 2016. Fractal-based adaptive boosting algorithm for cognitive detection of computer malware. In Proceedings of the IEEE 15th International Conference on Cognitive Informatics 8 Cognitive Computing (ICCI’16). IEEE, 50--59.Google ScholarCross Ref
- Gene H. Kim and Eugene H. Spafford. 1994. The design and implementation of tripwire: A file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security. ACM, New York, NY, 18--29.Google Scholar
- Witold Kinsner. 2005. A unified approach to fractal dimensions. In Proceedings of the 4th IEEE Conference on Cognitive Informatics (ICCI’05). IEEE, 58--72.Google ScholarCross Ref
- Ryan K. L. Ko, Peter Jagadpramana, and Bu Sung Lee. 2011. Flogger: A file-centric logger for monitoring file access and transfers within cloud computing environments. In Proceedings of the IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom’11). IEEE, 765--771.Google ScholarDigital Library
- Andrew P. Kosoresow and S. A. Hofmeyer. 1997. Intrusion detection via system call traces. IEEE Softw. 14, 5 (1997), 35--42.Google ScholarDigital Library
- Athanasios Kountouras, Panagiotis Kintis, Chaz Lever, Yizheng Chen, Yacin Nadji, David Dagon, Manos Antonakakis, and Rodney Joffe. 2016. Enabling Network Security Through Active DNS Datasets. Springer International Publishing, Cham, 188--208. DOI:https://doi.org/10.1007/978-3-319-45719-2_9Google Scholar
- Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th Conference on USENIX Security Symposium. USENIX, 11--11.Google Scholar
- Christopher Kruegel, Darren Mutz, William Robertson, and Fredrik Valeur. 2003. Bayesian event classification for intrusion detection. In Proceedings of the 19th Annual Computer Security Applications Conference. IEEE, 14--23.Google ScholarCross Ref
- Christopher Kruegel, Darren Mutz, Fredrik Valeur, and Giovanni Vigna. 2003. On the detection of anomalous system call arguments. In Proceedings of the European Symposium on Research in Computer Security. Springer, Berlin, 326--343.Google ScholarCross Ref
- Uttam Kumar and Bhavesh N. Gohil. 2015. A survey on intrusion detection systems for cloud computing environment. Int. J. Comput. Appl. 109, 1 (2015), 6--15.Google ScholarCross Ref
- MIT Lincoln Labs. 2017. DARPA Intrusion Detection Evaluation. Retrieved from http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/.Google Scholar
- Aleksandar Lazarevic, Vipin Kumar, and Jaideep Srivastava. 2005. Intrusion detection: A survey. In Managing Cyber Threats. Springer, Amsterdam, The Netherlands, 19--78.Google Scholar
- Jun-Ho Lee, Min-Woo Park, Jung-Ho Eom, and Tai-Myoung Chung. 2011. Multi-level intrusion detection system and log management in cloud computing. In Proceedings of the 13th International Conference on Advanced Communication Technology (ICACT’11). IEEE, 552--555.Google Scholar
- Wenke Lee, Salvatore J. Stolfo, and Kui W. Mok. 1999. A data-mining framework for building intrusion detection models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 120--132.Google Scholar
- Itzhak Levin. 2000. KDD-99 classifier learning contest: LLSoft’s results overview. SIGKDD Explor. 1, 2 (2000), 67--75.Google ScholarDigital Library
- Ling Li and Constantine N. Manikopoulos. 2004. Windows NT one-class masquerade detection. In Proceedings of the 5th Annual IEEE SMC Information Assurance Workshop. IEEE, 82--87.Google Scholar
- Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin, and Kuang-Yuan Tung. 2013. Intrusion detection system: A comprehensive review. J. Netw. Comput. Appl. 36, 1 (2013), 16--24.Google ScholarDigital Library
- Yihua Liao and V Rao Vemuri. 2002. Use of k-nearest neighbor classifier for intrusion detection. Comput. Secur. 21, 5 (2002), 439--448.Google ScholarDigital Library
- Nick Littlestone. 1988. Learning quickly when irrelevant attributes abound: A new linear-threshold algorithm. Mach. Learn. 2, 4 (1988), 285--318.Google ScholarCross Ref
- Matthew Mahoney and Philip Chan. 2003. An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. In Recent Advances in Intrusion Detection. Springer, Amsterdam, The Netherlands, 220--237.Google Scholar
- John McHugh. 2000. Testing intrusion detection systems: A critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Info. Syst. Secur. 3, 4 (2000), 262--294.Google ScholarDigital Library
- Vivienne Mee, Theodore Tryfonas, and Iain Sutherland. 2006. The windows registry as a forensic artefact: Illustrating evidence collection for Internet usage. Dig. Investig. 3, 3 (2006), 166--173.Google ScholarDigital Library
- Yasir Mehmood, Umme Habiba, Muhammad Awais Shibli, and Rahat Masood. 2013. Intrusion detection system in cloud computing: Challenges and opportunities. In Proceedings of the 2nd National Conference on Information Assurance (NCIA’13). IEEE, 59--66.Google ScholarCross Ref
- Shagufta Mehnaz and Elisa Bertino. 2017. Ghostbuster: A fine-grained approach for anomaly detection in file system accesses. In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy (CODASPY’17). ACM, New York, NY, 3--14. DOI:https://doi.org/10.1145/3029806.3029809Google ScholarDigital Library
- Preeti Mishra, Emmanuel S. Pilli, Vijay Varadharajan, and Udaya Tupakula. 2017. Intrusion detection techniques in cloud environment: A survey. J. Netw. Comput. Appl. 77 (2017), 18--47.Google ScholarDigital Library
- Chirag Modi, Dhiren Patel, Bhavesh Borisaniya, Hiren Patel, Avi Patel, and Muttukrishnan Rajarajan. 2013. A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36, 1 (2013), 42--57.Google ScholarDigital Library
- Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Limits of static analysis for malware detection. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07). IEEE, 421--430.Google ScholarCross Ref
- Robert Moskovitch, Shay Pluderman, Ido Gus, Dima Stopel, Clint Feher, Yisrael Parmet, Yuval Shahar, and Yuval Elovici. 2007. Host-based intrusion detection using machine learning. In Proceedings of the Conference on Intelligence and Security Informatics. IEEE, 107--114.Google ScholarCross Ref
- Tarik Mouttaqi, Tajjeeddine Rachidi, and Nasser Assem. 2017. Re-evaluation of combined Markov-Bayes models for host intrusion detection on the ADFA dataset. In Proceedings of the Intelligent Systems Conference (IntelliSys’17). IEEE, 1044--1052.Google ScholarCross Ref
- Srinivas Mukkamala, Guadalupe Janoski, and Andrew Sung. 2002. Intrusion detection using neural networks and support vector machines. In Proceedings of the International Joint Conference on Neural Networks (IJCNN’02), Vol. 2. IEEE, 1702--1707.Google ScholarCross Ref
- Darren Mutz, Fredrik Valeur, Giovanni Vigna, and Christopher Kruegel. 2006. Anomalous system call detection. ACM Trans. Info. Syst. Secur. 9, 1 (2006), 61--93.Google ScholarDigital Library
- James Newsome and Dawn Song. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Network and Distributed Systems Security Symposium. Internet Society, 43.Google Scholar
- University of California’s San Diego Supercomputer Center. 2018. Center for Applied Internet Data Analysis. Retrieved from http://www.caida.org/.Google Scholar
- The Regents of the University of New Mexico. 2006. Sequence-based intrusion detection. Retrieved from http://www.cs.unm.edu/ immsec/systemcalls.htm.Google Scholar
- Vinod K. Pachghare, Vaibhav K. Khatavkar, and Parag Kulkarni. 2012. Pattern-based IDS using supervised, semi-supervised and unsupervised approaches. In Proceedings of the International Conference on Computer Science and Information Technology. Springer, Berlin, 542--551.Google ScholarCross Ref
- Animesh Patcha and Jung-Min Park. 2007. An overview of anomaly detection techniques: Existing solutions and latest technological trends. Comput. Netw. 51, 12 (2007), 3448--3470.Google ScholarDigital Library
- Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok. 2004. I3FS: An In-kernel integrity checker and intrusion detection file system. In Proceedings of the Large Installation System Administration Conference (LISA’04), Vol. 4. USENIX, 67--78.Google Scholar
- Adam G. Pennington, John D. Strunk, John Linwood Griffin, Craig A. N. Soules, Garth R. Goodson, and Gregory R. Ganger. 2003. Storage-based intrusion detection: Watching storage activity for suspicious behavior. In Proceedings of the USENIX Security Symposium. USENIX.Google Scholar
- I. Perona, I. Gurrutxaga, O. Arbelaitz, J. I. Martín, J. Muguerza, and J. M. Pérez. 2008. gureKddcup database. Retrieved from http://aldapa.eus/res/gureKddcup/.Google Scholar
- Bernhard Pfahringer. 2000. Winning the KDD99 classification cup: Bagged boosting. ACM SIGKDD Explor. Newslett. 1, 2 (2000), 65--66.Google ScholarDigital Library
- Phillip A. Porras and Richard A. Kemmerer. 1992. Penetration state transition analysis: A rule-based intrusion detection approach. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’92). IEEE, 220--229.Google Scholar
- Nguyen Anh Quynh and Yoshiyasu Takefuji. 2007. A novel approach for a file-system integrity monitor tool of Xen virtual machine. In Proceedings of the 2nd ACM Symposium on Information, Computer, and Communications Security. ACM, New York, NY, 194--202.Google ScholarDigital Library
- Tajjeeddine Rachidi, Oualid Koucham, and Nasser Assem. 2016. Combined data and execution flow host intrusion detection using machine learning. In Intelligent Systems and Applications. Springer, 427--450.Google Scholar
- Wei Ren and Hai Jin. 2005. Distributed agent-based real time network intrusion forensics system architecture design. In Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05), Vol. 1. IEEE, 177--182.Google Scholar
- John R. Reuning. 2004. Applying Term Weight Techniques to Event Log Analysis for Intrusion Detection. Master’s Thesis, School of Information and Library Science, University of North Carolina at Chapel Hill, Chapel Hill, NC, 1--60.Google Scholar
- Jake Ryan, Meng-Jang Lin, and Risto Miikkulainen. 1998. Intrusion detection with neural networks. In Advances in Neural Information Processing Systems. MIT Press, 943--949.Google Scholar
- Farzad Sabahi and Ali Movaghar. 2008. Intrusion detection: A survey. In Proceedings of the 3rd International Conference on Systems and Networks Communications (ICSNC’08). IEEE, 23--26.Google ScholarDigital Library
- Maheshkumar Sabhnani and Gursel Serpen. 2004. Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set. Intell. Data Anal. 8, 4 (2004), 403--415.Google ScholarDigital Library
- Santosh Kumar Sahu, Sauravranjan Sarangi, and Sanjaya Kumar Jena. 2014. A detail analysis on intrusion detection datasets. In Proceedings of the IEEE International Advance Computing Conference (IACC’14). IEEE, 1348--1353.Google ScholarCross Ref
- H. Sayadi, N. Patel, S. M. P D, A. Sasan, S. Rafatirad, and H. Homayoun. 2018. Ensemble learning for effective run-time hardware-based malware detection: A comprehensive analysis and classification. In Proceedings of the Design Automation Conference (DAC’18). ACM/ESDA/IEEE, 1--6.Google Scholar
- Karen Scarfone and Peter Mell. 2007. Guide to intrusion detection and prevention systems (idps). NIST Spec. Publ. 800, 2007 (2007), 94.Google Scholar
- Matthew G. Schultz, Eleazar Eskin, F. Zadok, and Salvatore J. Stolfo. 2001. Data-mining methods for detection of new malicious executables. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’01). IEEE, 38--49.Google Scholar
- R. Sekar, Mugdha Bendre, Dinakar Dhurjati, and Pradeep Bollineni. 2001. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’01). IEEE, 144--155.Google ScholarCross Ref
- Jude Shavlik and Mark Shavlik. 2004. Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, New York, NY, 276--285.Google ScholarDigital Library
- Sana Siddiqui, Muhammad Salman Khan, Ken Ferens, and Witold Kinsner. 2016. Detecting advanced persistent threats using fractal dimension-based machine learning classification. In Proceedings of the ACM on International Workshop on Security And Privacy Analytics (IWSPA’16). ACM, New York, NY, 64--69. DOI:https://doi.org/10.1145/2875475.2875484Google ScholarDigital Library
- Robin Sommer and Vern Paxson. 2010. Outside the closed world: On using machine learning for network intrusion detection. In Proceedings of the IEEE Symposium on Security and Privacy (SP’10). IEEE, 305--316.Google ScholarDigital Library
- Aditya K. Sood, Rohit Bansal, and Richard J. Enbody. 2013. Cybercrime: Dissecting the state of underground enterprise. IEEE Internet Comput. 17, 1 (2013), 60--68.Google ScholarDigital Library
- Salvatore J. Stolfo, Frank Apap, Eleazar Eskin, Katherine Heller, Shlomo Hershkop, Andrew Honig, and Krysta Svore. 2005. A comparative evaluation of two algorithms for windows registry anomaly detection. J. Comput. Secur. 13, 4 (2005), 659--693.Google ScholarDigital Library
- Sufatrio and Roland H. C. Yap. 2005. Improving host-based IDS with argument abstraction to prevent mimicry attacks. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, Berlin, 146--164.Google Scholar
- Kymie Tan, Kevin Killourhy, and Roy Maxion. 2002. Undermining an anomaly-based intrusion detection system using common exploits. In Recent Advances in Intrusion Detection. Springer, Berlin, 54--73.Google Scholar
- Kymie M. C. Tan and Roy A. Maxion. 2002. “Why 6?” defining the operational limits of stide, an anomaly-based intrusion detector. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 188--201.Google Scholar
- Gaurav Tandon and Philip K. Chan. 2005. Learning useful system call attributes for anomaly detection. In Proceedings of the Florida Artificial Intelligence Research Society Conference (FLAIRS’05). AAAI, 405--411.Google Scholar
- Gaurav Tandon and Philip K. Chan. 2006. On the learning of system call attributes for host-based anomaly detection. Int. J. Artific. Intell. Tools 15, 06 (2006), 875--892.Google ScholarCross Ref
- Mahbod Tavallaee, Ebrahim Bagheri, Wei Lu, and Ali A. Ghorbani. 2009. A detailed analysis of the KDD CUP 99 data set. In Proceedings of the IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA’09). IEEE, 1--6.Google Scholar
- Taha Ait Tchakoucht, Mostafa Ezziyyani, Mohammed Jbilou, and Mikael Salaun. 2015. Behavioral approach for intrusion detection. In Proceedings of the IEEE/ACS 12th International Conference on Computer Systems and Applications (AICCSA’15). IEEE, 1--5.Google Scholar
- Xiaojun Tong, Zhu Wang, and Haining Yu. 2009. A research using hybrid RBF/Elman neural networks for intrusion detection system secure model. Comput. Phys. Commun. 180, 10 (2009), 1795--1801.Google ScholarCross Ref
- M. Topallar, M. O. Depren, E. Anarim, and K. Ciliz. 2004. Host-based intrusion detection by monitoring Windows registry accesses. In Proceedings of the IEEE 12th Signal Processing and Communications Applications Conference. IEEE, 728--731.Google Scholar
- M. J. M. Turcotte, A. D. Kent, and C. Hash. 2017. Unified host and network data set. ArXiv e-prints abs/1708.07518.Google Scholar
- Christian Vaas and Jassim Happa. 2017. Detecting disguised processes using application-behavior profiling. In Proceedings of the IEEE International Symposium on Technologies for Homeland Security (HST’17). IEEE, 1--6.Google ScholarCross Ref
- Kalyan Veeramachaneni, Ignacio Arnaldo, Vamsi Korrapati, Constantinos Bassias, and Ke Li. 2016. AI2: Training a big data machine to defend. In Proceedings of the IEEE International Conference on High Performance and Smart Computing (HPSC’16), and IEEE International Conference on Intelligent Data and Security (IDS’16), IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity’16). IEEE, New York, NY, 49--54.Google Scholar
- M. E. Verma and R. A. Bridges. 2018. Defining a metric space of host logs and operational use cases. In Proceedings of the IEEE International Conference on Big Data (Big Data’18). 5068--5077. DOI:https://doi.org/10.1109/BigData.2018.8622083Google Scholar
- L. Vokorokos and A. Baláž. 2010. Host-based intrusion detection system. In Proceedings of the 14th International Conference on Intelligent Engineering Systems (INES’10). IEEE, 43--47.Google Scholar
- Liberios Vokorokos, Anton Balaz, and Martin Chovanec. 2006. Intrusion detection system using self organizing map. Acta Electrotech. Informat. 6, 1 (2006), 1--6.Google Scholar
- David Wagner and R. Dean. 2001. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Security and Privacy (S&P’’01). IEEE, 156--168.Google Scholar
- Zhijian Wang and Yanqin Zhu. 2017. A centralized HIDS framework for private cloud. In Proceedings of the 18th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD’17). IEEE, 115--120.Google ScholarCross Ref
- Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. 1999. Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy. IEEE, 133--145.Google ScholarCross Ref
- Miao Xie and Jiankun Hu. 2013. Evaluating host-based anomaly detection systems: A preliminary analysis of ADFA-LD. In Proceedings of the 6th International Congress on Image and Signal Processing (CISP’13), Vol. 3. IEEE, 1711--1716.Google ScholarCross Ref
- Miao Xie, Jiankun Hu, and Jill Slay. 2014. Evaluating host-based anomaly detection systems: Application of the one-class svm algorithm to ADFA-LD. In Proceedings of the 11th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD’14). IEEE, 978--982.Google ScholarCross Ref
- Miao Xie, Jiankun Hu, Xinghuo Yu, and Elizabeth Chang. 2014. Evaluating host-based anomaly detection systems: Application of the frequency-based algorithms to ADFA-LD. In Proceedings of the International Conference on Network and System Security. Springer, Berlin, 542--549.Google ScholarCross Ref
- Xiaolong Xu, Guangpei Liu, and Jie Zhu. 2016. Cloud data security and integrity protection model based on distributed virtual machine agents. In Proceedings of the International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC’16). IEEE, Chengdu, China, 6--13.Google ScholarCross Ref
- Nong Ye, Syed Masum Emran, Qiang Chen, and Sean Vilbert. 2002. Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Trans. Comput. 51, 7 (2002), 810--820.Google ScholarDigital Library
- Nong Ye, Xiangyang Li, Qiang Chen, Syed Masum Emran, and Mingming Xu. 2001. Probabilistic techniques for intrusion detection based on computer audit data. IEEE Trans. Syst. Man Cybernet. Part A: Syst. Hum. 31, 4 (2001), 266--274.Google ScholarDigital Library
- Qing Ye, Xiaoping Wu, and Bo Yan. 2010. An intrusion detection approach based on system call sequences and rules extraction. In Proceedings of the 2nd International Conference on e-Business and Information System Security (EBISS’10). IEEE, Wuhan, China, 1--4.Google ScholarCross Ref
- Tianwei Zhang and Ruby B. Lee. 2015. Cloudmonatt: An architecture for security health monitoring and attestation of virtual machines in cloud computing. In Proceedings of the ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA’15). IEEE, 362--374.Google Scholar
- Zonghua Zhang and Hong Shen. 2005. Application of online-training SVMs for real-time intrusion detection with different considerations. Comput. Commun. 28, 12 (2005), 1428--1442.Google ScholarDigital Library
- Gu Zhaojun and Wang Chao. 2010. Statistic and analysis for Host-based syslog. In Proceedings of the 2nd International Workshop on Education Technology and Computer Science (ETCS’10), Vol. 2. IEEE, 277--280.Google ScholarCross Ref
Index Terms
- A Survey of Intrusion Detection Systems Leveraging Host Data
Recommendations
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Mimicry attacks on host-based intrusion detection systems
CCS '02: Proceedings of the 9th ACM conference on Computer and communications securityWe examine several host-based anomaly detection systems and study their security against evasion attacks. First, we introduce the notion of a mimicry attack, which allows a sophisticated attacker to cloak their intrusion to avoid detection by the IDS. ...
A Survey on Intrusion Detection and Prevention Systems
AbstractIn the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Comments