DocumentCode
2274747
Title
A serial combination of anomaly and misuse IDSes applied to HTTP traffic
Author
Tombini, Elvis ; Debar, Hervé ; Mé, Ludovic ; Ducassé, Mireille
Author_Institution
France Telecom, Caen, France
fYear
2004
fDate
6-10 Dec. 2004
Firstpage
428
Lastpage
437
Abstract
Combining an "anomaly" and a "misuse" IDSes offers the advantage of separating the monitored events between normal, intrusive or unqualified classes (i.e. not known as an attack, but not recognize as safe either). In this article, we provide a framework to systematically reason about the combination of anomaly and misuse components. This framework applied to Web servers lead us to propose a serial architecture, using a drastic anomaly component with a sensitive misuse component. This architecture provides the operator with better qualification of the detection results, raises lower amount of false alarms and unqualified events.
Keywords
Internet; computer network management; security of data; telecommunication traffic; transport protocols; HTTP traffic; Web server; drastic anomaly component; intrusion detection system; sensitive misuse component; serial architecture; Computer architecture; Detectors; Event detection; Information analysis; Intrusion detection; Monitoring; Prototypes; Qualifications; Service oriented architecture; Web server;
fLanguage
English
Publisher
ieee
Conference_Titel
Computer Security Applications Conference, 2004. 20th Annual
ISSN
1063-9527
Print_ISBN
0-7695-2252-1
Type
conf
DOI
10.1109/CSAC.2004.4
Filename
1377250
Link To Document