Title :
Metadata for anomaly-based security protocol attack deduction
Author :
Leckie, Tysen ; Yasinsac, Alec
Author_Institution :
Nat. Security Operations, Northrop Grumman, Columbia, MD, USA
Abstract :
Anomaly-based intrusion detection systems (IDS) have been widely recognized for their potential to prevent and reduce damage to information systems. In order to build their profiles and to generate their requisite behavior observations, these systems rely on access to payload data, either in the network or on the host system. With the growing reliance on encryption technology, less and less payload data is available for analysis. In order to accomplish intrusion detection in an encrypted environment, a new data representation must emerge. We present a knowledge engineering approach to allow intrusion detection in an encrypted environment. Our approach relies on gathering and analyzing several forms of metadata relating to session activity of the principals involved and the protocols that they employ. We then apply statistical and pattern recognition methods to the metadata to distinguish between normal and abnormal activity and then to distinguish between legitimate and malicious behavior.
Keywords :
cryptography; information systems; knowledge engineering; management information systems; meta data; pattern recognition; protocols; statistical analysis; anomaly-based intrusion detection systems; anomaly-based security protocol attack deduction; encryption technology; information systems; knowledge engineering approach; metadata; pattern recognition methods; payload data; statistical methods; user profiles; Cryptography; Information security; Information systems; Intrusion detection; Knowledge engineering; Pattern recognition; Payloads; Protocols; Telecommunication traffic; Traffic control; 65; Index Terms- Anomaly detection; behavioral analysis.; security protocols; user profile;
Journal_Title :
Knowledge and Data Engineering, IEEE Transactions on
DOI :
10.1109/TKDE.2004.43
