A Survey of Intrusion Detection Systems Leveraging Host Data

Authors:
Robert A. Bridges

Cyber 8 Applied Data Analytics Division, Oak Ridge National Laboratory

Cyber 8 Applied Data Analytics Division, Oak Ridge National Laboratory
View Profile

,
Tarrah R. Glass-Vanderlan

Cyber 8 Applied Data Analytics Division, Oak Ridge National Laboratory

Cyber 8 Applied Data Analytics Division, Oak Ridge National Laboratory

0000-0003-0642-6427
View Profile

,
Michael D. Iannacone

Cyber 8 Applied Data Analytics Division, Oak Ridge National Laboratory

Cyber 8 Applied Data Analytics Division, Oak Ridge National Laboratory
View Profile

,
Maria S. Vincent

Cyber 8 Applied Data Analytics Division, Oak Ridge National Laboratory

Cyber 8 Applied Data Analytics Division, Oak Ridge National Laboratory
View Profile

,
Qian (Guenevere) Chen

Electrical 8 Computer Engineering, University of Texas, San Antonio

Electrical 8 Computer Engineering, University of Texas, San Antonio

0000-0002-0130-5901
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 52 Issue 6Article No.: 128pp 1–35https://doi.org/10.1145/3344382

Published:14 November 2019Publication History

ACM Computing Surveys

Abstract

This survey focuses on intrusion detection systems (IDS) that leverage host-based data sources for detecting attacks on enterprise network. The host-based IDS (HIDS) literature is organized by the input data source, presenting targeted sub-surveys of HIDS research leveraging system logs, audit data, Windows Registry, file systems, and program analysis. While system calls are generally included in audit data, several publicly available system call datasets have spawned a flurry of IDS research on this topic, which merits a separate section. To accommodate current researchers, a section giving descriptions of publicly available datasets is included, outlining their characteristics and shortcomings when used for IDS evaluation. Related surveys are organized and described. All sections are accompanied by tables concisely organizing the literature and datasets discussed. Finally, challenges, trends, and broader observations are throughout the survey and in the conclusion along with future directions of IDS research. Overall, this survey was designed to allow easy access to the diverse types of data available on a host for sensing intrusion, the progressions of research using each, and the accessible datasets for prototyping in the area.

References

Cristina Abad, Jed Taylor, Cigdem Sengul, William Yurcik, Yuanyuan Zhou, and Ken Rowe. 2003. Log correlation for intrusion detection: A proof of concept. In Proceedings of the 19th Annual Computer Security Applications Conference. IEEE, 255--264.Google ScholarDigital Library
Usman Ahmed and Asif Masood. 2009. Host-based intrusion detection using RBF neural networks. In Proceedings of the International Conference on Emerging Technologies (ICET’09). IEEE, 48--51.Google ScholarCross Ref
Mamoun Alazab, Sitalakshmi Venkatraman, Paul Watters, Moutaz Alazab, and Ammar Alazab. 2012. Cybercrime: The case of obfuscated malware. In Global Security, Safety and Sustainability, 8 e-Democracy. Springer, Berlin, 204--211.Google Scholar
M. Anandapriya and B. Lakshmanan. 2015. Anomaly-based host intrusion detection system using semantic-based system call patterns. In Proceedings of the 9th International Conference on Intelligent Systems and Control (ISCO’15). IEEE, 1--4.Google Scholar
James P. Anderson. 1972. Computer Security Technology Planning Study. Volume 2. Technical Report. James P. Anderson 8 Co., Fort Washington, PA.Google Scholar
James P. Anderson et al. 1980. Computer Security Threat Monitoring and Surveillance. Technical Report. James P. Anderson 8 Co., Fort Washington, PA.Google Scholar
Frank Apap, Andrew Honig, Shlomo Hershkop, Eleazar Eskin, and Sal Stolfo. 2002. Detecting malicious software by monitoring anomalous windows registry accesses. In Recent Advances in Intrusion Detection. Springer, Berlin, 36--53.Google Scholar
Stefan Axelsson. 2000. Intrusion Detection Systems: A Survey and Taxonomy. Technical Report.Google Scholar
Sandeep Bhatkar, Abhishek Chaturvedi, and R. Sekar. 2006. Dataflow anomaly detection. In Proceedings of the Security and Privacy Symposium. IEEE.Google Scholar
Martin Botha and Rossouw Von Solms. 2003. Utilising fuzzy logic and trend analysis for effective intrusion detection. Comput. Secur. 22, 5 (2003), 423--434.Google ScholarDigital Library
Yacine Bouzida and Sylvain Gombault. 2003. EigenProfiles for intrusion detection, profils propres pour la detection d’intrusion. In Département RSM GET/ENST. Actes du Symposium SSTIC, Bretagne, France.Google Scholar
Robert A. Bridges, Michael D. Iannacone, John R. Goodall, and Justin M. Beaver. 2018. How do information security workers use host data? A summary of interviews with security analysts. Retrieved from http://arxiv.org/abs/1812.02867.Google Scholar
R. A. Bridges, J. D. Jamieson, and J. W. Reed. 2017. Setting the threshold for high throughput detectors: A mathematical approach for ensembles of dynamic, heterogeneous, probabilistic anomaly detectors. In Proceedings of the IEEE International Conference on Big Data (Big Data’17). IEEE, 1071--1078. DOI:https://doi.org/10.1109/BigData.2017.8258031Google Scholar
S. Terry Brugger and Jedidiah Chow. 2007. An assessment of the DARPA IDS evaluation dataset using snort. UCDavis Dept. Comput. Sci. 1, 2007 (2007), 22.Google Scholar
Guy Bruneau. 2001. The history and evolution of intrusion detection. SANS Inst. 1, 2f (2001).Google Scholar
Anna L. Buczak and Erhan Guven. 2016. A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surveys Tutor. 18, 2 (2016), 1153--1176.Google ScholarDigital Library
Harlan Carvey. 2005. The windows registry as a forensic resource. Dig. Investig. 2, 3 (2005), 201--205.Google ScholarDigital Library
Q. Chen and R. A. Bridges. 2017. Automated behavioral analysis of malware: A case study of wannacry ransomware. In Proceedings of the 16th IEEE International Conference on Machine Learning and Applications (ICMLA’17). IEEE, 454--460. DOI:https://doi.org/10.1109/ICMLA.2017.0-119Google Scholar
Zouhair Chiba, Noureddine Abghour, Khalid Moussaid, Amina El Omri, and Mohamed Rida. 2016. A survey of intrusion detection systems for cloud computing environment. In Proceedings of the International Conference on Engineering 8 MIS (ICEMIS’16). IEEE, 1--13.Google ScholarCross Ref
W. Choi, H. J. Jo, S. Woo, J. Y. Chun, J. Park, and D. H. Lee. 2018. Identifying ECUs through inimitable characteristics of signals in controller area networks. IEEE Trans. Vehic. Technol. 99 (2018), 1--1. DOI:https://doi.org/10.1109/TVT.2018.2810232Google Scholar
Shane S. Clark, Benjamin Ransford, Amir Rahmati, Shane Guineau, Jacob Sorber, Wenyuan Xu, Kevin Fu, A. Rahmati, M. Salajegheh, D. Holcomb et al. 2013. WattsUpDoc: Power side channels to nonintrusively discover untargeted malware on embedded medical devices. In Proceedings of USENIX Workshop on Health Information Technologies. USENIX.Google Scholar
William W. Cohen. 1995. Fast effective rule induction. In Proceedings of the 12th International Conference on Machine Learning. Elsevier, 115--123.Google ScholarCross Ref
Gideon Creech and Jiankun Hu. 2013. Generation of a new IDS test dataset: Time to retire the KDD collection. In Proceedings of the Wireless Communications and Networking Conference (WCNC’13). IEEE, 4487--4492.Google ScholarCross Ref
Gideon Creech and Jiankun Hu. 2014. A semantic approach to host-based intrusion detection systems using contiguousand discontiguous system call patterns. IEEE Trans. Comput. 63, 4 (2014), 807--819.Google ScholarDigital Library
Joel A. Dawson, J. Todd McDonald, Jordan Shropshire, Todd R. Andel, Patrick Luckett, and Lee Hively. 2018. Rootkit detection through phase-space analysis of power voltage measurements. In Proceedings of the 12th IEEE International Conference on Malicious and Unwanted Software (MALCON’17). IEEE.Google Scholar
Ronald F. DeMara and Adam J. Rocke. 2004. Mitigation of network tampering using dynamic dispatch of mobile agents. Comput. Secur. 23, 1 (2004), 31--42.Google ScholarDigital Library
Dorothy Denning and Peter G. Neumann. 1985. Requirements and Model for IDES-a Real-time Intrusion-detection Expert System. SRI International, Menlo Park, CA.Google Scholar
Brendan Dolan-Gavitt. 2008. Forensic analysis of the windows registry in memory. Dig. Investig. 5 (2008), S26--S32.Google ScholarDigital Library
George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai, and Peter M. Chen. 2002. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. ACM SIGOPS Operat. Syst. Rev. 36 (2002), 211--224.Google ScholarDigital Library
Mohammed Taha Elgraini, Nasser Assem, and Tajjeeddine Rachidi. 2012. Host intrusion detection for long stealthy system call sequences. In Proceedings of the Colloquium on Information Science and Technology (CIST’12). IEEE, 96--100.Google ScholarCross Ref
Eleazar Eskin, Andrew Arnold, Michael Prerau, Leonid Portnoy, and Sal Stolfo. 2002. A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. Appl. Data Min. Comput. Secur. 6 (2002), 77--102.Google Scholar
Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, and Weibo Gong. 2003. Anomaly detection using call stack information. In Proceedings of the Symposium on Security and Privacy. IEEE, 62--75.Google ScholarCross Ref
Erik M. Ferragut, Jason Laska, and Robert A. Bridges. 2012. A new, principled approach to anomaly detection. In Proceedings of the 11th International Conference on Machine Learning and Applications (ICMLA’12), Vol. 2. IEEE, 210--215.Google Scholar
Stephanie Forrest, Steven Hofmeyr, and Anil Somayaji. 2008. The evolution of system-call monitoring. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’08). IEEE, 418--430.Google ScholarDigital Library
Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. 1996. A sense of self for unix processes. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 120--128.Google ScholarDigital Library
Nir Friedman and Yoram Singer. 1999. Efficient Bayesian parameter estimation in large discrete domains. In Advances in Neural Information Processing Systems. MIT Press, Cambridge, MA, 417--423.Google Scholar
Debin Gao, Michael K. Reiter, and Dawn Song. 2006. Behavioral distance measurement using hidden Markov models. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID’06). Springer, Berlin, 19--40.Google ScholarDigital Library
Sebastian Garcia, Martin Grill, Jan Stiborek, and Alejandro Zunino. 2014. An empirical comparison of botnet detection methods. Comput. Secur. 45 (2014), 100--123.Google ScholarDigital Library
Anup K. Ghosh and Aaron Schwartzbard. 1999. A study in using neural networks for anomaly and misuse detection. In Proceedings of the USENIX Security Symposium, Vol. 99. USENIX, 12.Google Scholar
Anup K. Ghosh, Aaron Schwartzbard, and Michael Schatz. 1999. Learning program behavior profiles for intrusion detection. In Proceedings of the Workshop on Intrusion Detection and Network Monitoring, Vol. 51462. USENIX, 1--13.Google Scholar
Jonathon T. Giffin, Somesh Jha, and Barton P. Miller. 2006. Automated discovery of mimicry attacks. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID’06), Vol. 4219. Springer, Amsterdam, The Netherlands, 41--60.Google Scholar
Carlos R. Aguayo González and Jeffrey H. Reed. 2011. Power fingerprinting in SDR integrity assessment for security and regulatory compliance. Analog Integr. Circ. Signal Process. 69, 2--3 (2011), 307--327.Google ScholarDigital Library
John L. Griffin, Adam Pennington, John S. Bucy, Deepa Choundappan, Nithya Muralidharan, and Gregory R. Ganger. 2003. On the Feasibility of Intrusion Detection Inside Workstation Disks. Technical Report. School of Computer Science, Carnegie-Mellon University, Pittsburgh, PA.Google Scholar
Donghai Guan, Kejun Wang, Xiufen Ye, and Weixing Feng. 2005. A collaborative intrusion detection system using log server and neural networks. In Proceedings of the IEEE International Conference on Mechatronics and Automation, Vol. 2. IEEE, 874--877.Google Scholar
Sanchika Gupta and Padam Kumar. 2015. An immediate system call sequence-based approach for detecting malicious program executions in cloud environment. Wireless Personal Commun. 81, 1 (2015), 405--425.Google ScholarDigital Library
Sanchika Gupta, Padam Kumar, Anjali Sardana, and Ajith Abraham. 2012. A secure and lightweight approach for critical data security in cloud. In Proceedings of the 4th International Conference on Computational Aspects of Social Networks (CASoN’12). IEEE, 315--320.Google ScholarCross Ref
Sanchika Gupta, Anjali Sardana, and Padam Kumar. 2012. A light weight centralized file monitoring approach for securing files in cloud environment. In Proceedings of the International Conference on Internet Technology and Secured Transactions. IEEE, 382--387.Google Scholar
Aric Hagberg, Alex Kent, Nathan Lemons, and Joshua Neil. 2014. Credential hopping in authentication graphs. In Proceedings of the International Conference on Signal-Image Technology Internet-Based Systems (SITIS’14). IEEE Computer Society.Google Scholar
Waqas Haider, Gideon Creech, Yi Xie, and Jiankun Hu. 2016. Windows-based data sets for evaluation of robustness of host-based intrusion detection systems (IDS) to zero-day and stealth attacks. Future Internet 8, 3 (2016), 29.Google ScholarCross Ref
Waqas Haider, Jiankun Hu, and Miao Xie. 2015. Towards reliable data feature retrieval and decision engine in host-based anomaly detection systems. In Proceedings of the IEEE 10th Conference on Industrial Electronics and Applications (ICIEA’15). IEEE, 513--517.Google ScholarCross Ref
Waqas Haider, Jiankun Hu, Xinghuo Yu, and Yi Xie. 2015. Integer data zero-watermark assisted system calls abstraction and normalization for host-based anomaly detection systems. In Proceedings of the IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud’15). IEEE, 349--355.Google ScholarDigital Library
Sang-Jun Han and Sung-Bae Cho. 2005. Evolutionary neural networks for anomaly detection based on the behavior of a program. IEEE Trans. Syst. Man Cybernet. Part B (Cybernet.) 36, 3 (2005), 559--570.Google ScholarDigital Library
Christopher R. Harshaw, Robert A. Bridges, Michael D. Iannacone, Joel W. Reed, and John R. Goodall. 2016. Graphprints: Towards a graph analytic method for network anomaly detection. In Proceedings of the 11th Annual Cyber and Information Security Research Conference. ACM, New York, NY, 1--15.Google Scholar
Katherine A. Heller, Krysta M. Svore, Angelos D. Keromytis, and Salvatore J. Stolfo. 2003. One class support vector machines for detecting anomalous windows registry accesses. In Proceedings of the Workshop on Data Mining for Computer Security. 9.Google Scholar
Paul Helman and Jessie Bhangoo. 1997. A statistically based system for prioritizing information exploration under uncertainty. IEEE Trans. Syst. Man. Cybernet.-Part A: Syst. Hum. 27, 4 (1997), 449--466.Google ScholarDigital Library
Xuan Dau Hoang, Jiankun Hu, and Peter Bertok. 2003. A multi-layer model for anomaly intrusion detection using program sequences of system calls. In Proceedings of the 11th IEEE International Conference. Citeseer, IEEE.Google Scholar
Xuan Dau Hoang, Jiankun Hu, and Peter Bertok. 2009. A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference. J. Netw. Comput. Appl. 32, 6 (2009), 1219--1228.Google ScholarDigital Library
Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. 1998. Intrusion detection using sequences of system calls. J. Comput. Secur. 6, 3 (1998), 151--180.Google ScholarDigital Library
Greg Hoglund and James Butler. 2006. Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Indianapolis, IN.Google ScholarDigital Library
Jiankun Hu, Xinghuo Yu, Dong Qiu, and Hsiao-Hwa Chen. 2009. A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection. IEEE Netw. 23, 1 (2009), 42--47.Google ScholarDigital Library
Guang-Bin Huang, Qin-Yu Zhu, and Chee-Kheong Siew. 2004. Extreme learning machine: A new learning scheme of feedforward neural networks. In Proceedings of the IEEE International Joint Conference on Neural Networks, Vol. 2. IEEE, 985--990.Google Scholar
Raid Khalid Hussein, Ahmed Alenezi, Gary B. Wills, and Robert J. Walters. 2016. A framework to secure the virtual machine image in cloud computing. In Proceedings of the International Conference on Smart Cloud (SmartCloud’16). IEEE, 35--40.Google Scholar
Nwokedi Idika and Aditya P. Mathur. 2007. A survey of malware detection techniques. Purdue Univ. 48 (2007).Google Scholar
Koral Ilgun. 1993. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, 16--28.Google ScholarCross Ref
Brian Jewell and Justin Beaver. 2011. Host-based data exfiltration detection via system call sequences. In Proceedings of the 6th International Conference on Information Warfare and Secuirty (ICIW’11). Academic Conferences Limited, Academic Conferences Limited, England, 134.Google Scholar
S. Jha, L. Kruger, T. Kurtx, Y. Lee, and A. Smith. 2004. A filtering approach to anomaly and masquerade detection. Technical report, Department of Computer Science, University of Wisconsin, Madison.Google Scholar
Jarilyn M. Hernández Jiménez, Jeffrey A. Nichols, Katerina Goseva-Popstojanova, Stacy Prowell, and Robert A. Bridges. 2017. Malware Detection on General-Purpose Computers Using Power Consumption Monitoring: A Proof of Concept and Case Study. arXiv preprint arXiv:1705.01977.Google Scholar
Hai Jin, Guofu Xiang, Deqing Zou, Song Wu, Feng Zhao, Min Li, and Weide Zheng. 2013. A VMM-based intrusion prevention system in cloud computing environment. J. Supercomput. 66, 3 (2013), 1133--1151.Google ScholarDigital Library
Chaivat Jirapummin, Naruemon Wattanapongsakorn, and Prasert Kanthamanon. 2002. Hybrid neural networks for intrusion detection system. Proc. ITC-CSCC 7 (2002), 928--931.Google Scholar
Peyman Kabiri and Ali A. Ghorbani. 2005. Research on intrusion detection and response: A survey. IJ Netw. Secur. 1, 2 (2005), 84--102.Google Scholar
Hilmi Güneş Kayacik, Malcolm Heywood, and Nur Zincir-Heywood. 2006. On evolving buffer overflow attacks using genetic programming. In Proceedings of the 8th Annual Conference on Genetic and Evolutionary Computation. ACM, New York, NY, 1667--1674.Google ScholarDigital Library
H. Gunes Kayacik and A. Nur Zincir-Heywood. 2007. On the contribution of preamble to information hiding in mimicry attacks. In Proceedings of the 21st International Advanced Information Networking and Applications Workshops (AINAW’07), Vol. 1. IEEE, 632--638.Google Scholar
Hilmi Günes Kayacik and A. Nur Zincir-Heywood. 2008. Mimicry attacks demystified: What can attackers do to evade detection? In Proceedings of the 6th Annual Conference on Privacy, Security and Trust (PST’08). IEEE, 213--223.Google ScholarDigital Library
H. Gunes Kayacik, A. Nur Zincir-Heywood, and Malcolm I. Heywood. 2003. On the capability of an SOM-based intrusion detection system. In Proceedings of the International Joint Conference on Neural Networks, Vol. 3. IEEE, 1808--1813.Google Scholar
Richard A. Kemmerer and Giovanni Vigna. 2002. Intrusion detection: A brief history and overview. Computer 35, 4 (2002), 27--30.Google ScholarDigital Library
Alexander D. Kent. 2015. Comprehensive, Multi-Source Cyber-Security Events. Los Alamos National Laboratory. DOI:https://doi.org/10.17021/1179829Google Scholar
Alexander D. Kent. 2015. Cybersecurity data sources for dynamic network research. In Dynamic Networks in Cybersecurity. Imperial College Press.Google Scholar
Minhaj Ahmad Khan. 2016. A survey of security issues for cloud computing. J. Netw. Comput. Appl. 71 (2016), 11--29.Google ScholarDigital Library
Muhammad Salman Khan, Sana Siddiqui, and Ken Ferens. 2017. Cognitive modeling of polymorphic malware using fractal-based semantic characterization. In Proceedings of the IEEE International Symposium on Technologies for Homeland Security (HST’17). IEEE, 1--7.Google ScholarCross Ref
Muhammad Salman Khan, Sana Siddiqui, Robert D. McLeod, Ken Ferens, and Witold Kinsner. 2016. Fractal-based adaptive boosting algorithm for cognitive detection of computer malware. In Proceedings of the IEEE 15th International Conference on Cognitive Informatics 8 Cognitive Computing (ICCI’16). IEEE, 50--59.Google ScholarCross Ref
Gene H. Kim and Eugene H. Spafford. 1994. The design and implementation of tripwire: A file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security. ACM, New York, NY, 18--29.Google Scholar
Witold Kinsner. 2005. A unified approach to fractal dimensions. In Proceedings of the 4th IEEE Conference on Cognitive Informatics (ICCI’05). IEEE, 58--72.Google ScholarCross Ref
Ryan K. L. Ko, Peter Jagadpramana, and Bu Sung Lee. 2011. Flogger: A file-centric logger for monitoring file access and transfers within cloud computing environments. In Proceedings of the IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom’11). IEEE, 765--771.Google ScholarDigital Library
Andrew P. Kosoresow and S. A. Hofmeyer. 1997. Intrusion detection via system call traces. IEEE Softw. 14, 5 (1997), 35--42.Google ScholarDigital Library
Athanasios Kountouras, Panagiotis Kintis, Chaz Lever, Yizheng Chen, Yacin Nadji, David Dagon, Manos Antonakakis, and Rodney Joffe. 2016. Enabling Network Security Through Active DNS Datasets. Springer International Publishing, Cham, 188--208. DOI:https://doi.org/10.1007/978-3-319-45719-2_9Google Scholar
Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th Conference on USENIX Security Symposium. USENIX, 11--11.Google Scholar
Christopher Kruegel, Darren Mutz, William Robertson, and Fredrik Valeur. 2003. Bayesian event classification for intrusion detection. In Proceedings of the 19th Annual Computer Security Applications Conference. IEEE, 14--23.Google ScholarCross Ref
Christopher Kruegel, Darren Mutz, Fredrik Valeur, and Giovanni Vigna. 2003. On the detection of anomalous system call arguments. In Proceedings of the European Symposium on Research in Computer Security. Springer, Berlin, 326--343.Google ScholarCross Ref
Uttam Kumar and Bhavesh N. Gohil. 2015. A survey on intrusion detection systems for cloud computing environment. Int. J. Comput. Appl. 109, 1 (2015), 6--15.Google ScholarCross Ref
MIT Lincoln Labs. 2017. DARPA Intrusion Detection Evaluation. Retrieved from http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/.Google Scholar
Aleksandar Lazarevic, Vipin Kumar, and Jaideep Srivastava. 2005. Intrusion detection: A survey. In Managing Cyber Threats. Springer, Amsterdam, The Netherlands, 19--78.Google Scholar
Jun-Ho Lee, Min-Woo Park, Jung-Ho Eom, and Tai-Myoung Chung. 2011. Multi-level intrusion detection system and log management in cloud computing. In Proceedings of the 13th International Conference on Advanced Communication Technology (ICACT’11). IEEE, 552--555.Google Scholar
Wenke Lee, Salvatore J. Stolfo, and Kui W. Mok. 1999. A data-mining framework for building intrusion detection models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 120--132.Google Scholar
Itzhak Levin. 2000. KDD-99 classifier learning contest: LLSoft’s results overview. SIGKDD Explor. 1, 2 (2000), 67--75.Google ScholarDigital Library
Ling Li and Constantine N. Manikopoulos. 2004. Windows NT one-class masquerade detection. In Proceedings of the 5th Annual IEEE SMC Information Assurance Workshop. IEEE, 82--87.Google Scholar
Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin, and Kuang-Yuan Tung. 2013. Intrusion detection system: A comprehensive review. J. Netw. Comput. Appl. 36, 1 (2013), 16--24.Google ScholarDigital Library
Yihua Liao and V Rao Vemuri. 2002. Use of k-nearest neighbor classifier for intrusion detection. Comput. Secur. 21, 5 (2002), 439--448.Google ScholarDigital Library
Nick Littlestone. 1988. Learning quickly when irrelevant attributes abound: A new linear-threshold algorithm. Mach. Learn. 2, 4 (1988), 285--318.Google ScholarCross Ref
Matthew Mahoney and Philip Chan. 2003. An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. In Recent Advances in Intrusion Detection. Springer, Amsterdam, The Netherlands, 220--237.Google Scholar
John McHugh. 2000. Testing intrusion detection systems: A critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Info. Syst. Secur. 3, 4 (2000), 262--294.Google ScholarDigital Library
Vivienne Mee, Theodore Tryfonas, and Iain Sutherland. 2006. The windows registry as a forensic artefact: Illustrating evidence collection for Internet usage. Dig. Investig. 3, 3 (2006), 166--173.Google ScholarDigital Library
Yasir Mehmood, Umme Habiba, Muhammad Awais Shibli, and Rahat Masood. 2013. Intrusion detection system in cloud computing: Challenges and opportunities. In Proceedings of the 2nd National Conference on Information Assurance (NCIA’13). IEEE, 59--66.Google ScholarCross Ref
Shagufta Mehnaz and Elisa Bertino. 2017. Ghostbuster: A fine-grained approach for anomaly detection in file system accesses. In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy (CODASPY’17). ACM, New York, NY, 3--14. DOI:https://doi.org/10.1145/3029806.3029809Google ScholarDigital Library
Preeti Mishra, Emmanuel S. Pilli, Vijay Varadharajan, and Udaya Tupakula. 2017. Intrusion detection techniques in cloud environment: A survey. J. Netw. Comput. Appl. 77 (2017), 18--47.Google ScholarDigital Library
Chirag Modi, Dhiren Patel, Bhavesh Borisaniya, Hiren Patel, Avi Patel, and Muttukrishnan Rajarajan. 2013. A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36, 1 (2013), 42--57.Google ScholarDigital Library
Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Limits of static analysis for malware detection. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07). IEEE, 421--430.Google ScholarCross Ref
Robert Moskovitch, Shay Pluderman, Ido Gus, Dima Stopel, Clint Feher, Yisrael Parmet, Yuval Shahar, and Yuval Elovici. 2007. Host-based intrusion detection using machine learning. In Proceedings of the Conference on Intelligence and Security Informatics. IEEE, 107--114.Google ScholarCross Ref
Tarik Mouttaqi, Tajjeeddine Rachidi, and Nasser Assem. 2017. Re-evaluation of combined Markov-Bayes models for host intrusion detection on the ADFA dataset. In Proceedings of the Intelligent Systems Conference (IntelliSys’17). IEEE, 1044--1052.Google ScholarCross Ref
Srinivas Mukkamala, Guadalupe Janoski, and Andrew Sung. 2002. Intrusion detection using neural networks and support vector machines. In Proceedings of the International Joint Conference on Neural Networks (IJCNN’02), Vol. 2. IEEE, 1702--1707.Google ScholarCross Ref
Darren Mutz, Fredrik Valeur, Giovanni Vigna, and Christopher Kruegel. 2006. Anomalous system call detection. ACM Trans. Info. Syst. Secur. 9, 1 (2006), 61--93.Google ScholarDigital Library
James Newsome and Dawn Song. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Network and Distributed Systems Security Symposium. Internet Society, 43.Google Scholar
University of California’s San Diego Supercomputer Center. 2018. Center for Applied Internet Data Analysis. Retrieved from http://www.caida.org/.Google Scholar
The Regents of the University of New Mexico. 2006. Sequence-based intrusion detection. Retrieved from http://www.cs.unm.edu/ immsec/systemcalls.htm.Google Scholar
Vinod K. Pachghare, Vaibhav K. Khatavkar, and Parag Kulkarni. 2012. Pattern-based IDS using supervised, semi-supervised and unsupervised approaches. In Proceedings of the International Conference on Computer Science and Information Technology. Springer, Berlin, 542--551.Google ScholarCross Ref
Animesh Patcha and Jung-Min Park. 2007. An overview of anomaly detection techniques: Existing solutions and latest technological trends. Comput. Netw. 51, 12 (2007), 3448--3470.Google ScholarDigital Library
Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok. 2004. I3FS: An In-kernel integrity checker and intrusion detection file system. In Proceedings of the Large Installation System Administration Conference (LISA’04), Vol. 4. USENIX, 67--78.Google Scholar
Adam G. Pennington, John D. Strunk, John Linwood Griffin, Craig A. N. Soules, Garth R. Goodson, and Gregory R. Ganger. 2003. Storage-based intrusion detection: Watching storage activity for suspicious behavior. In Proceedings of the USENIX Security Symposium. USENIX.Google Scholar
I. Perona, I. Gurrutxaga, O. Arbelaitz, J. I. Martín, J. Muguerza, and J. M. Pérez. 2008. gureKddcup database. Retrieved from http://aldapa.eus/res/gureKddcup/.Google Scholar
Bernhard Pfahringer. 2000. Winning the KDD99 classification cup: Bagged boosting. ACM SIGKDD Explor. Newslett. 1, 2 (2000), 65--66.Google ScholarDigital Library
Phillip A. Porras and Richard A. Kemmerer. 1992. Penetration state transition analysis: A rule-based intrusion detection approach. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’92). IEEE, 220--229.Google Scholar
Nguyen Anh Quynh and Yoshiyasu Takefuji. 2007. A novel approach for a file-system integrity monitor tool of Xen virtual machine. In Proceedings of the 2nd ACM Symposium on Information, Computer, and Communications Security. ACM, New York, NY, 194--202.Google ScholarDigital Library
Tajjeeddine Rachidi, Oualid Koucham, and Nasser Assem. 2016. Combined data and execution flow host intrusion detection using machine learning. In Intelligent Systems and Applications. Springer, 427--450.Google Scholar
Wei Ren and Hai Jin. 2005. Distributed agent-based real time network intrusion forensics system architecture design. In Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05), Vol. 1. IEEE, 177--182.Google Scholar
John R. Reuning. 2004. Applying Term Weight Techniques to Event Log Analysis for Intrusion Detection. Master’s Thesis, School of Information and Library Science, University of North Carolina at Chapel Hill, Chapel Hill, NC, 1--60.Google Scholar
Jake Ryan, Meng-Jang Lin, and Risto Miikkulainen. 1998. Intrusion detection with neural networks. In Advances in Neural Information Processing Systems. MIT Press, 943--949.Google Scholar
Farzad Sabahi and Ali Movaghar. 2008. Intrusion detection: A survey. In Proceedings of the 3rd International Conference on Systems and Networks Communications (ICSNC’08). IEEE, 23--26.Google ScholarDigital Library
Maheshkumar Sabhnani and Gursel Serpen. 2004. Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set. Intell. Data Anal. 8, 4 (2004), 403--415.Google ScholarDigital Library
Santosh Kumar Sahu, Sauravranjan Sarangi, and Sanjaya Kumar Jena. 2014. A detail analysis on intrusion detection datasets. In Proceedings of the IEEE International Advance Computing Conference (IACC’14). IEEE, 1348--1353.Google ScholarCross Ref
H. Sayadi, N. Patel, S. M. P D, A. Sasan, S. Rafatirad, and H. Homayoun. 2018. Ensemble learning for effective run-time hardware-based malware detection: A comprehensive analysis and classification. In Proceedings of the Design Automation Conference (DAC’18). ACM/ESDA/IEEE, 1--6.Google Scholar
Karen Scarfone and Peter Mell. 2007. Guide to intrusion detection and prevention systems (idps). NIST Spec. Publ. 800, 2007 (2007), 94.Google Scholar
Matthew G. Schultz, Eleazar Eskin, F. Zadok, and Salvatore J. Stolfo. 2001. Data-mining methods for detection of new malicious executables. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’01). IEEE, 38--49.Google Scholar
R. Sekar, Mugdha Bendre, Dinakar Dhurjati, and Pradeep Bollineni. 2001. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’01). IEEE, 144--155.Google ScholarCross Ref
Jude Shavlik and Mark Shavlik. 2004. Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, New York, NY, 276--285.Google ScholarDigital Library
Sana Siddiqui, Muhammad Salman Khan, Ken Ferens, and Witold Kinsner. 2016. Detecting advanced persistent threats using fractal dimension-based machine learning classification. In Proceedings of the ACM on International Workshop on Security And Privacy Analytics (IWSPA’16). ACM, New York, NY, 64--69. DOI:https://doi.org/10.1145/2875475.2875484Google ScholarDigital Library
Robin Sommer and Vern Paxson. 2010. Outside the closed world: On using machine learning for network intrusion detection. In Proceedings of the IEEE Symposium on Security and Privacy (SP’10). IEEE, 305--316.Google ScholarDigital Library
Aditya K. Sood, Rohit Bansal, and Richard J. Enbody. 2013. Cybercrime: Dissecting the state of underground enterprise. IEEE Internet Comput. 17, 1 (2013), 60--68.Google ScholarDigital Library
Salvatore J. Stolfo, Frank Apap, Eleazar Eskin, Katherine Heller, Shlomo Hershkop, Andrew Honig, and Krysta Svore. 2005. A comparative evaluation of two algorithms for windows registry anomaly detection. J. Comput. Secur. 13, 4 (2005), 659--693.Google ScholarDigital Library
Sufatrio and Roland H. C. Yap. 2005. Improving host-based IDS with argument abstraction to prevent mimicry attacks. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, Berlin, 146--164.Google Scholar
Kymie Tan, Kevin Killourhy, and Roy Maxion. 2002. Undermining an anomaly-based intrusion detection system using common exploits. In Recent Advances in Intrusion Detection. Springer, Berlin, 54--73.Google Scholar
Kymie M. C. Tan and Roy A. Maxion. 2002. “Why 6?” defining the operational limits of stide, an anomaly-based intrusion detector. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 188--201.Google Scholar
Gaurav Tandon and Philip K. Chan. 2005. Learning useful system call attributes for anomaly detection. In Proceedings of the Florida Artificial Intelligence Research Society Conference (FLAIRS’05). AAAI, 405--411.Google Scholar
Gaurav Tandon and Philip K. Chan. 2006. On the learning of system call attributes for host-based anomaly detection. Int. J. Artific. Intell. Tools 15, 06 (2006), 875--892.Google ScholarCross Ref
Mahbod Tavallaee, Ebrahim Bagheri, Wei Lu, and Ali A. Ghorbani. 2009. A detailed analysis of the KDD CUP 99 data set. In Proceedings of the IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA’09). IEEE, 1--6.Google Scholar
Taha Ait Tchakoucht, Mostafa Ezziyyani, Mohammed Jbilou, and Mikael Salaun. 2015. Behavioral approach for intrusion detection. In Proceedings of the IEEE/ACS 12th International Conference on Computer Systems and Applications (AICCSA’15). IEEE, 1--5.Google Scholar
Xiaojun Tong, Zhu Wang, and Haining Yu. 2009. A research using hybrid RBF/Elman neural networks for intrusion detection system secure model. Comput. Phys. Commun. 180, 10 (2009), 1795--1801.Google ScholarCross Ref
M. Topallar, M. O. Depren, E. Anarim, and K. Ciliz. 2004. Host-based intrusion detection by monitoring Windows registry accesses. In Proceedings of the IEEE 12th Signal Processing and Communications Applications Conference. IEEE, 728--731.Google Scholar
M. J. M. Turcotte, A. D. Kent, and C. Hash. 2017. Unified host and network data set. ArXiv e-prints abs/1708.07518.Google Scholar
Christian Vaas and Jassim Happa. 2017. Detecting disguised processes using application-behavior profiling. In Proceedings of the IEEE International Symposium on Technologies for Homeland Security (HST’17). IEEE, 1--6.Google ScholarCross Ref
Kalyan Veeramachaneni, Ignacio Arnaldo, Vamsi Korrapati, Constantinos Bassias, and Ke Li. 2016. AI2: Training a big data machine to defend. In Proceedings of the IEEE International Conference on High Performance and Smart Computing (HPSC’16), and IEEE International Conference on Intelligent Data and Security (IDS’16), IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity’16). IEEE, New York, NY, 49--54.Google Scholar
M. E. Verma and R. A. Bridges. 2018. Defining a metric space of host logs and operational use cases. In Proceedings of the IEEE International Conference on Big Data (Big Data’18). 5068--5077. DOI:https://doi.org/10.1109/BigData.2018.8622083Google Scholar
L. Vokorokos and A. Baláž. 2010. Host-based intrusion detection system. In Proceedings of the 14th International Conference on Intelligent Engineering Systems (INES’10). IEEE, 43--47.Google Scholar
Liberios Vokorokos, Anton Balaz, and Martin Chovanec. 2006. Intrusion detection system using self organizing map. Acta Electrotech. Informat. 6, 1 (2006), 1--6.Google Scholar
David Wagner and R. Dean. 2001. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Security and Privacy (S&P’’01). IEEE, 156--168.Google Scholar
Zhijian Wang and Yanqin Zhu. 2017. A centralized HIDS framework for private cloud. In Proceedings of the 18th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD’17). IEEE, 115--120.Google ScholarCross Ref
Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. 1999. Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy. IEEE, 133--145.Google ScholarCross Ref
Miao Xie and Jiankun Hu. 2013. Evaluating host-based anomaly detection systems: A preliminary analysis of ADFA-LD. In Proceedings of the 6th International Congress on Image and Signal Processing (CISP’13), Vol. 3. IEEE, 1711--1716.Google ScholarCross Ref
Miao Xie, Jiankun Hu, and Jill Slay. 2014. Evaluating host-based anomaly detection systems: Application of the one-class svm algorithm to ADFA-LD. In Proceedings of the 11th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD’14). IEEE, 978--982.Google ScholarCross Ref
Miao Xie, Jiankun Hu, Xinghuo Yu, and Elizabeth Chang. 2014. Evaluating host-based anomaly detection systems: Application of the frequency-based algorithms to ADFA-LD. In Proceedings of the International Conference on Network and System Security. Springer, Berlin, 542--549.Google ScholarCross Ref
Xiaolong Xu, Guangpei Liu, and Jie Zhu. 2016. Cloud data security and integrity protection model based on distributed virtual machine agents. In Proceedings of the International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC’16). IEEE, Chengdu, China, 6--13.Google ScholarCross Ref
Nong Ye, Syed Masum Emran, Qiang Chen, and Sean Vilbert. 2002. Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Trans. Comput. 51, 7 (2002), 810--820.Google ScholarDigital Library
Nong Ye, Xiangyang Li, Qiang Chen, Syed Masum Emran, and Mingming Xu. 2001. Probabilistic techniques for intrusion detection based on computer audit data. IEEE Trans. Syst. Man Cybernet. Part A: Syst. Hum. 31, 4 (2001), 266--274.Google ScholarDigital Library
Qing Ye, Xiaoping Wu, and Bo Yan. 2010. An intrusion detection approach based on system call sequences and rules extraction. In Proceedings of the 2nd International Conference on e-Business and Information System Security (EBISS’10). IEEE, Wuhan, China, 1--4.Google ScholarCross Ref
Tianwei Zhang and Ruby B. Lee. 2015. Cloudmonatt: An architecture for security health monitoring and attestation of virtual machines in cloud computing. In Proceedings of the ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA’15). IEEE, 362--374.Google Scholar
Zonghua Zhang and Hong Shen. 2005. Application of online-training SVMs for real-time intrusion detection with different considerations. Comput. Commun. 28, 12 (2005), 1428--1442.Google ScholarDigital Library
Gu Zhaojun and Wang Chao. 2010. Statistic and analysis for Host-based syslog. In Proceedings of the 2nd International Workshop on Education Technology and Computer Science (ETCS’10), Vol. 2. IEEE, 277--280.Google ScholarCross Ref

Index Terms

A Survey of Intrusion Detection Systems Leveraging Host Data
1. General and reference
  1. Document types
    1. Surveys and overviews
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Rule generalisation in intrusion detection systems using SNORT

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Read More
Mimicry attacks on host-based intrusion detection systems
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

We examine several host-based anomaly detection systems and study their security against evasion attacks. First, we introduce the notion of a mimicry attack, which allows a sophisticated attacker to cloak their intrusion to avoid detection by the IDS. ...
Read More
A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 52, Issue 6
November 2020
806 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3368196
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering
Issue’s Table of Contents
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 November 2019
- Accepted: 1 July 2019
- Revised: 1 May 2019
- Received: 1 May 2018
Published in csur Volume 52, Issue 6

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Intrusion detection
anomaly detection
host
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 63
  Total Citations
  View Citations
- 4,087
  Total Downloads
- Downloads (Last 12 months)774
- Downloads (Last 6 weeks)128
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

A Survey of Intrusion Detection Systems Leveraging Host Data

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Rule generalisation in intrusion detection systems using SNORT

Mimicry attacks on host-based intrusion detection systems

A Survey on Intrusion Detection and Prevention Systems