Chapter 15

Attack Detection

Principles of Intrusion Detection

Systems

Categories

Detection quality

[NetSec], WS 2007/2008

15.1

Introduction

Definition: Intrusion
An Intrusion is unauthorized access to and/or activity in an information
system.

Definition: Intrusion Detection

The process of identifying that an intrusion has been attempted, is occurring
or has occurred.
National Security Telecommunications Advisory Committee (NSTAC) Intrusion Detection Subgroup

[NetSec], WS 2007/2008

15.2

Introduction

Intrusion Detection

Attack- / Invasion detection: Tries to detect unauthorized access by

outsiders

Misuse Detection: Tries to detect misuse by insiders, e.g. users that try to
access services on the internet by bypassing security directives

Anomaly Detection: Tries to detect abnormal states within a network, e.g.

sudden appearance of never used protocols, big amount of unsuccessful
login attempts

Intrusion Prevention

An IPS adds further functionality to an IDS. After detecting a possible attack

the IPS tries to prevent the ongoing attack, e.g. by closing network
connections or reconfiguring firewalls

[NetSec], WS 2007/2008

15.3

Introduction

[NetSec], WS 2007/2008

15.4

Attack Taxonomy
Source: [Mircovic2004]

[NetSec], WS 2007/2008

15.5

Intrusion Detection

Data collection issues

Reliable and complete data
Collection is expensive, collecting the right information is important

Detection techniques
Signature-based or knowledge-based detection
Anomaly detection

Response

Counteracting an attack

Evaluation

System effectiveness, performance, network-wide analysis

False-positive rate
False-negative rate

[NetSec], WS 2007/2008

15.6

Classification of Attack Detection

Four dimensions

Host
based

Anomaly
detection

Knowledge
based

Network
based
[NetSec], WS 2007/2008

15.7

Classification of Attack Detection

Host Intrusion Detection Systems (HIDS)

Works on information available on a system, e.g. OS-Logs, application-logs,
timestamps
Can easily detect attacks by insiders, as modification of files, illegal access
to files, installation of Trojans or rootkits
Problems: has to be installed on every System, produces lots of information,
often no realtime-analysis but predefined time intervals, hard to manage a
huge number of systems

Network Intrusion Detection System (NIDS)

Works on information provided by the network, mainly packets sniffed from
the network layer. Uses signature detection (stateful), protocol decoding,
statistical anomaly analysis, heuristical analysis
Detects: DoS with buffer overflow attacks, invalid packets, attacks on
application layer, DDoS, spoofing attacks, port scans
Often used on network hubs, to monitor a segment of the network

[NetSec], WS 2007/2008

15.8

Placement of a Network Intrusion Detection System

Monitors all incoming traffic
High load
High rate of false alarms
Monitors all traffic to and
from systems in the DMZ
Reduced amount of Data
Can only detect Intrusions
on these Computers

Internet

DMZ

Monitors all traffic within

the corporate LAN
Possible detection of
misuse by insiders
Possible detection of
intrusion via mobile
machines (notebooks...)

LAN

[NetSec], WS 2007/2008

15.9

Knowledge-based Detection

Based on signatures or patterns of well-known attacks

Working principles

Pros

Fast, requires few state information, low false-positive rate

Cons

Scan for attacks using well known vulnerabilities, e.g. patterns to attack IIS web
server or MSSQL databases
Scan for pre-defined numbers of ICMP, TCP SYN, etc. packets
Patterns can be specified at each protocol level
Network protocol (e.g. IP, ICMP)
Transport protocol (e.g. TCP, UDP)
Application protocol (e.g. HTTP, SMTP)

Recognizes only known attacks

Examples

Snort, Bro

[NetSec], WS 2007/2008

15.10

Signature-based Detection Example: Snort

Mainly signature based, each intrusion needs a predefined rule

alert tcp $HOME_NET any -> any 9996 \
(msg:"Sasser ftp script to transfer up.exe"; \
content:"|5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; \
sid:1000000; rev:3)

Three step processing of captured information (capturing is done by libpcap):

Preprocessing (normalized and reassembled packets)
Detection Engine works on the data and decides what action should be
taken
Action is taken (log, alert, pass)

[NetSec], WS 2007/2008

15.11

Anomaly Detection

Based on the analysis of long-term and short-term traffic behavior

Working principles

Pros

Recognizes unknown attacks as well

Cons

Scan for anomalies in

Traffic behavior
Protocol behavior
Application behavior

False-positive rate might be high

Examples

PHAD/ALAD, Emerald

[NetSec], WS 2007/2008

15.12

Anomaly Identification

Network operation anomalies

Caused by configuration changes

Source: [Barford2001]
[NetSec], WS 2007/2008

15.13

Anomaly Identification

Flash crowd anomalies

Caused by software releases or special interest in a web site

Source: [Barford2001]
[NetSec], WS 2007/2008

15.14

Anomaly Identification

Network abuse anomalies

DoS flood attacks
Port scans

Source: [Barford2001]
[NetSec], WS 2007/2008

15.15

Anomaly Detection System

Generic anomaly detection system

Source: [Estevez-Tapiador2004]

[NetSec], WS 2007/2008

15.16

Detection Quality

Source: [Estevez-Tapiador2004]
[NetSec], WS 2007/2008

15.17

Classification Criteria

Source: [Estevez-Tapiador2004]
[NetSec], WS 2007/2008

15.18

Anomaly Detection Methodologies

Signal analysis

Based on the calculation of

a deviation score

Source: [Barford2002]

Statistical traffic modeling

Analysis of network statistics,

e.g. TCP-SYN rate

Source: [Ohsita2004]

Immunological approach

Goal: scalable distributed intrusion detection

Negative detection with censoring
Partial matching with permutation masks
Detectors are generated randomly and censored (deleted) if they match normal
patterns

[NetSec], WS 2007/2008

15.19

PHAD

Packet Header Anomaly Detection (PHAD) [Mahoney2001]

Protocol analysis
learns normal ranges of values for each header field
(link, network, transport layer)
scorefield = t n/r
t
n
r

time since previous anomaly

number of observations
number of distinct values

Learning phase + detection phase

[NetSec], WS 2007/2008

15.20

ALAD

Application Layer Anomaly Detection (ALAD) [Mahoney2002]

Extension to PHAD
Five models:

P(src IP | dest IP)

Learns normal set of clients for each host, i.e. the set of clients allowed
on a restricted service
P(src IP | dest IP, dest port)
Like (1), but one model for each server on each host
P(dest IP, dest port)
Learns the set of local servers which normally receive requests
P(TCP flags | dest port)
Learns the set of TCP flags for all packets of a particular connection
P(keyword | dest port)
Examines the text in the incoming request (first 1000 bytes)

[NetSec], WS 2007/2008

15.21

IDMEF

Intrusion Detection Message Exchange Format (IDMEF)

RFC 4765

Object-oriented approach
XML-based encoding

The purpose of the Intrusion Detection Message Exchange Format

(IDMEF) is to define data formats and exchange procedures for
sharing information of interest to intrusion detection and response
systems, and to the management systems which may need to interact
with them.

[NetSec], WS 2007/2008

15.22

IDMEF

Message types
Heartbeat message
Alert message

Event report

Analyzer entity which emitted the alert

Classification what attack has been detected
Source any combination of multiple objects describing a network node,
an user, a process, or a service
Target any combination of multiple objects describing a network node,
an user, a process, a service, or a file
Assessment severity of the attack and confidence of the analyzer about
the validity of the alert
Additional information in (name, value) pairs

[NetSec], WS 2007/2008

15.23

Advanced Systems

Open-source and academic systems:

Commercial systems:

SNORT
Bro
D-WARD
COSSACK
Prelude
DIADEM Firewall
CATS

Cisco IDS
Juniper NetScreen
Enterasys Intrusion Defense
NFR NID-310
McAfee IntruShield
ISS RealSecure

Benchmarking

[NetSec], WS 2007/2008

15.24

Snort

Rule Based Intrusion Detection Open Source IDS

Support for Windows, UNIX, Linux,...
Huge number of predefined rules
Daily community rules update
Rule set can be edited individually

Three step processing of captured information (capturing via libpcap):

Preprocessing (normalized and reassembled packets)
Supports packet de-fragmentation, protocol decoding, state inspection
Detection Engine works on the data and decides what action should be
taken
Action is taken (log, alert, pass)
Possible reactions: TCP reset, ICMP unreachable, configuration of
firewalls, alerting via email, pager, SMS (plugins)
Reporting into: Logfiles, LogServer, Database

[NetSec], WS 2007/2008

15.25

Snort-Inline

Snort as Intrusion Prevention System (IPS)

IPTables inserts packets into a queue
Snort receives packets from queue. In case of overload packets are dropped
Preprocessing of data (normalization, reassembly, )
Scan engine performs pattern detection upon the data delivered by the
preprocessor
Possible algorithms

Wu Manber Fastest algorithm

Boyer More Good for small rulesets
Aho-Corasick Good performance even in worst case

After detecting an intrusion the corresponding action is taken

Snort-Inline has is capable to make the packet filter to drop packets, close
connections...
Also reconfigures (commercial) firewalls

[NetSec], WS 2007/2008

15.26

Bro

Bro IDS [Paxson1999]

Available for Unix and Linux

Signature based Intrusion Detection (can work with SNORT Rules)
Signatures can be edited individually
High number of predefined signatures
Reporting: log files, log hosts, via email
Saves captured data into libpcap compatible files
Supports packet defragmentation, protocol decoding, state inspection
Reaction possibilities: connection reset, reconfiguration of firewalls
No graphical administration or analysis tools available

[NetSec], WS 2007/2008

15.27

Bro

Detailed view:

Bro uses several steps to process data

Amount of data is reduced in every step
The less data has to be processed the
more complex actions can be taken
Libpcap is used the capture data from network
Packet filter removes all packets that are not
examined
Event engine does some first examinations
passes events to the next level
event is created if: header check failed,
packet defragmentation is done on this level
Signature engine is used to define reoccuring
events
Policy engine processes all events created
by event engine

[NetSec], WS 2007/2008

[Paxson1999]
15.28

Bro
Event layer only knows that something has happened but not what Bro signatures make use of regular expressions for being able to
detect variations of a certain intrusion

example of a Bro signature to detect variations of the formmail shell

command exploit:
signature formmail-cve-1999-0172 {
ip-proto == tcp
dst-ip == 1.2.0.0/16
dst-port = 80
http /.*formmail.*\?.*recipient=[&]*[;|]/
event "formmail shell command"
}

Bro uses a scripting language, especially designed to facilitate

network-traffic analysis and to detect anomalies, which is highly
flexible (implicit typing,...)

[NetSec], WS 2007/2008

15.29

Emerald
EMERALD, Stanford Research Institute (SRI) [Porras1997]
Main characteristics

Data sources

Employs a rule-coding scheme to detect known intrusion patterns

Resolver engine

Performs statistical profile-based anomaly detection

Signature engine

Generation of an event stream from audit data, network datagrams, SNMP traffic
Event stream is parsed, filtered, formated by event-collection methods

Profiler engine

Distributed detection and response system

Primary focus to detect host-based intrusions
Employs interdependent monitors at three hierarchical levels:
service monitors, domain monitors, and enterprise monitors

Integrates results from profiler engine and signature engine

Implementation

no API, Solaris only

[NetSec], WS 2007/2008

15.30

Prelude IDS
Prelude Hybrid IDS [PreludeIDS]:
Open-source intrusion detection and response system
Characteristics:

Sensors:

hybrid: supports network-based (NIDS) and host-based detection (HIDS)

signatures for knowledge-based detection
distributed, hierarchical architecture of sensors and managers
available for many UNIX derivates
communication between different components based on IDMEF
IDMEF alerts stored in central SQL database
Integration of other open-source packages like Snort, Bro, Honeyd etc.
NIDS: analysis of captured packets at different protocol layers, port scan detection,
ARP spoofing detection, and others
HIDS: LML (Log Monitoring Lackey) - analysis of log files on routers, firewalls, and
end-systems, file integrity check

Managers:

receive IDMEF messages from sensors

alert processing: aggregation, correlation, output, storage in database, triggering of
response actions (under development)

[NetSec], WS 2007/2008

15.31

D-WARD
DDoS Network Attack Recognition and Defense [Mirkovic2003]:

Idea: detect and ratelimit misbehaving flows at the source,

i.e. at the ingress point to the network (source-end detection,
firewall for outgoing flows)
Two levels of detection:
flows = aggregate of packets directed to common destination
individual UDP/TCP connections

Anomaly detection based on models of well-behaving

flows and connections
Response:
exponential throttling of misbehaving flows
exclude well-behaving connections from ratelimit
gradually remove ratelimit if flow becomes
compliant to the model again

Architecture:

Distributed autonomously working systems

Limitations:
does not work with multi-homed networks
and asymmetric routing
anomaly detection based on static,
predefined models no dynamic update
conceived to detect and mitigate flooding attacks
requires large-scale deployment in order to
be efficient

[NetSec], WS 2007/2008

15.32

D-WARD

[Mirkovic2003]

Source
network

Internet

[NetSec], WS 2007/2008

15.33

COSSACK
Coordinated Suppression of Simultaneous Attacks [Papadopoulos2003]:

Distributed intrusion detection and response system

Watchdog detection of attacks against edge networks
Intrusion detection based on Snort
Multicast attack notification of remote watchdogs
Watchdogs that identify attackers inside their edge network install firewall rules

[NetSec], WS 2007/2008

15.34

DIADEM Firewall
DIADEM Firewall (IST-2002-2.3.1.3) [www.diadem-firewall-org]:
Cooperating Autonomous Detection Systems (CATS)
Network monitoring environment:

Violation detection:

distributed and modular

deployment of anomaly and knowledge-based detection methods

Firewall elements:

based on IPFIX/PSAMP/Netflow
dynamically reconfigurable according to the current needs for violation detection

integration of open and commercial high-speed firewalls

possible responses: blocking, rate-limiting, redirection

System manager:

defines domain-wide detection and response policies

triggers attack response

IDMEF used for event notification between different components

Focus on DoS attacks detection and mitigation (flooding attacks, web server
overload etc.)

[NetSec], WS 2007/2008

15.35

DIADEM Firewall

Architecture:

Violation
adaptation
Violation
Detection

Administrative
Domain
Level
configuration

System
Manager

Notification
of attacks
monitoring
data

response
actions

Firewall
Element

Monitoring
Element

Element
Level
(HW Abstraction Layer)

Monitor
Data
Level
Attacker

[NetSec], WS 2007/2008

Operator
network

Internet
Internet
Router

Firewall
Device

Protected
Customer

15.36

DIADEM Firewall: CATS

[NetSec], WS 2007/2008

15.37

Assessment of Distributed Intrusion Detection Systems

EMERALD

Prelude
IDS

D-WARD

COSSACK

CATS

Local context

yes

yes

yes

yes

yes

Global context

no (hostbased)

no

no

yes

yes

Knowledge-based
detection

yes

yes

no

no

yes

Anomaly detection

yes

no

yes

yes

yes

Autonomous behavior

no

no

yes

yes

yes

Distributed
intelligence

Sep. of monitoring
& detection

no

no

no

no

yes

Distributed detection

yes

partly

no

no

yes

Attack
detection

[NetSec], WS 2007/2008

15.38

Cisco Secure IDS

Cisco Secure IDS / IPS (Intrusion Detection System / Intrusion Prevention System)

Available as independent appliance and as plugin for the Catalyst 6500 Series Switches
Plattform: specially adapted RedHat Linux (Solaris)
Stateful signature based pattern recognition (>300 Signatures available)
Protocol analysis (including layer 7 protocol decoding)
Traffic (statistical) and protocol (rfc-conformity) anomaly detection
Reporting into html-logs but also user defined formats
Responses: TCP-Reset, reconfiguration of firewalls, dropping of packets
Centralized update of deployed sensors (signatures, policies...)
Update service provided by Cisco
Policy language for user defined policies (makes use of signatures/statistics..)
Intrusion investigation (to classify severity of intrusions)
basic investigation of target vulnerability: probability of a successful intrusion on the target System
(c.f. Windows exploit on a Linux machine)
advanced investigation of target tries to determine if a intrusion was successful (logs...)
forensic data capture Data which is important for forensic analysis is gathered. Prevents intruder
to cover his tracks and delete information which might be used to discover his identity
gathered information is stored into a html based databbase

Appliances for 45 Mbit, 200 Mbit, 500 Mbit and 1 Gbit

http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html

[NetSec], WS 2007/2008

15.39

Juniper - NetScreen
Juniper Networks Netscreen Intrusion Detection and Prevention (IDP)
Supported OS: Management Server: RedHat Linux, Solaris, GUI Clients for
W2K/WinXP, RedHat Linux, Sensor as Appliance
Signature-based intrusion detection (parallel signature matching)
stateful inspection
protocol anomaly detection
protocol reassembly, normalization and decoding
user defined signatures
signature update service (weekly/emergency)
Network honeypot, anomaly detection
Notification: email, syslog, SNMP trap, user defined scripts
Logging: database, XML, CSV
Response: TCP reset, close client/server connection, IP action
High availability through clustering, load balancing, standalone failover,
physical redundancy
http://www.juniper.net/products/intrusion/
[NetSec], WS 2007/2008

15.40

Enterasys Intrusion Defense

Dragon 7.0 Network Sensor
Available as appliance or software only
Supported OS:

Signature based detection

Management: Solaris, RedHat / Fedora Linux

GUI-Client: W2K/XP/2003, RedHat / Fedora Linux, Linux
Sensor: Fedora Linux (Core 1/2), Solaris for Sparc (8/9)
XML signature format
>1300 predefined signatures
support for user defined signatures
weekly online updates

Protocol defragmentation, decoding, stateful inspection

Response: ICMP not reachable, TCP reset, user defined scripts
IDS evasion counter measures: identifies attackers trying to evade the IDS (with
tools like stick or snot)
Probe prevention: supplies attackers with false information
Virtual sensors: one sensor acts as multiple unique sensors
http://www.enterasys.com/products/ids/

[NetSec], WS 2007/2008

15.41

Network Flight Recorder

NFR NID-310
Supported OS:

W2K/XP for administration interface (AI)

W2K/XP/Solaris 8/Linux for central management server (CMS)
network sensor runs from a bootable CD (sensor is shipped as appliance or
software-only)

Three-tier infrastructure: AI (administration interface), CMS (central

management server), sensors
Event-driven, signature and protocol based analysis

packet defragmentation
protocol decoding
stateful analysis

Predefined signature sets, user defined signatures possible, online signature

update
NCode: language to define signatures
Central administration for a set of sensors
Central gathering of information coming from the sensors
Response: TCP reset, firewall reconfiguration

www.nfr.com

[NetSec], WS 2007/2008

15.42

McAfee IntruShield
McAfee IntruShield
Appliance only (100 Mb/s 2 Gb/s)
Signature based intrusion detection
Statistical detection of protocol and application anomalies and DoS attacks
Packet defragmentation, stream reassebly
>3000 predefined signatures, up to 3000 DoS profiles, user defined
signatures via GUI
Possibility to secure SSL-encrypted sessions by storing the SSL-key
within the sensor analysis of decrypted copy of the traffic
Works in inline, tap, or span mode
Response: TCP reset, ICMP unreachable, dropping of packets, firewall
reconfiguration
Integrated firewall

http://www.mcafeesecurity.com/de/products/mcafee/network_ips/intrushield_appliances.htm

[NetSec], WS 2007/2008

15.43

ISS Real Secure

ISS Real Secure Network Sensor
Supported OS: W2K, Solaris 7/8, RedHat Linux 7.3, Nokia IPSO >3.4 (as
appliance)
7-layer protocol analysis:
signature based pattern recognition
protocol defragmentation, decoding, state analysis
>1200 predefined signatures, user defined signatures with regular expressions
Possibility to import Snort rules
Notifications: console alerts, SNMP trap, email, SessionView
Logging: results and packets to database, intruding packets to disk, all
captured packets to disk
Response: TCP reset, firewall reconfiguration, execute user defined programs

http://www.iss.net/products_services/enterprise_protection/rsnetwork/sensor.php

[NetSec], WS 2007/2008

15.44

McAfee
IntruShield

ISS
Realsecure

YES
YES

YES

YES

YES
YES

Protocol decoding
Packet defragmentation

YES
YES

YES
YES

YES
YES

YES
YES

YES
YES

Predefined Signatures

YES

YES

YES

YES

YES

YES

YES

YES
YES

YES
YES

YES
YES

YES
YES

YES
YES

User defined Signatures

Signature Download

Enterasys
Intrusion
Defense

YES

Juniper
NetScreen

Available as Appliance
Available as Software

Cisco IDS

NFR NID-310

Comparison of Commercial Systems

Insert Snort Rules

YES

Logging:
Database
File (XML, CSV, HTMl...)
Syslog Server

YES
YES

YES
YES

TCP-Reset
ICMP-Unreachable

YES

YES
YES

Packet drop
Firewall reconfiguration

YES
YES

YES
YES

YES

Response

Userdefined action

YES
YES

YES

YES
YES

YES
YES
YES
YES

YES

YES
YES

Empty Squares == No information available, but NO can be assumed

[NetSec], WS 2007/2008

15.45

Further Examples of Commercial IDS / IPS

IDS/IPS
Symantec Man Hunt - www.symantec.com
Checkpoint Integrated part of the Checkpoint Firewall www.checkpoint.com

BroadWeb NetKeeper NK-3256T V3.6.0 - www.broadweb.com

Fortinet FortiGate-800 - www.fortinet.com
SecureSoft Absolute IPS NP5G V1.1 - www.securesoftusa.com
Top Layer IPS 5500 V3.3 www.toplayer.com
ISS Proventia A201 Intrusion Protection Appliance - www.iss.net
Intrusion SecureNet 7145C V4.3 - http://www.intrusion.com/
DDOS Detection and Prevention Systems
Arbor Networks: The Peakflow Platform http://www.arbornetworks.com
Mazu Networks: Mazu Profiler and Mazu Enforder

http://www.mazunetworks.com

P-CUBE: Service Engine http://www.p-cube.com

[NetSec], WS 2007/2008

15.46

Benchmarking

How to measure quality of an IDS?

Run a set of attacks within a monitored network segment

Use an increasing level of background traffic in addition to the attacks

25%, 50%, 75%, 99% of the available bandwith filled with background traffic

Stress the IDS to examine if packets are dropped

How many attacks are detected?

large number of small / middlesize / large packets

Use a high rate of http traffic

big number of potential HTTP exploits

big number concurrent of http-sessions force the IDS to track these sessions
high rate of new connections
high transaction delay
packet fragmentation
IDS-Torture

[NetSec], WS 2007/2008

15.47

Testing and Benchmarking

DARPA Environment (1998/1999)

First systematic effort to test an IDS
Analysis of huge amounts of data, e.g. from Hanscom Air Force Base

LARIAT Environment (2000)

Lincoln Adaptive Real-time Information Assurance Test-bed
Emulates network traffic from a small organization
Traffic generation using defined service models

Predominant open source philosophy for testing an IDS

Individual test environment
Search for existing exploits / attacks
Mix of background traffic and attack traffic
Analysis of the detection ratio (false positive / false negative)

Source: [Athanasiades2003]
[NetSec], WS 2007/2008

15.48

Summary (what do I need to know)

Principles of Intrusion Detection Systems

Categories

Knowledge-based / signature-based

Anomaly detection

Host-based IDS vs. network IDS

Detection quality

False positives

False negatives

[NetSec], WS 2007/2008

15.49

Additional References
[Barford2001] P. Barford and D. Plonka, "Characteristics of Network Traffic Flow Anomalies,"
Proceedings of ACM SIGCOMM Internet Measurement Workshop, October 2001.
[Barford2002] P. Barford, J. Kline, D. Plonka, and A. Ron, "A Signal Analysis of Network Traffic
Anomalies," Proceedings of ACM SIGCOMM Internet Measurement Workshop, Marseilles, France,
November 2002.
[Cabrera2000] J. B. D. Cabrera, B. Ravichandran, and R. K. Mehra, "Statistical Traffic Modeling for
Network Intrusion Detection," Proceedings of 8th International Symposium on Modeling, Analysis and
Simulation of Computer and Telecommunication Systems (MASCOTS), 2000, pp. 466.
[Caswell2004] B. Caswell and J. Hewlett, "Snort Users Manual," The Snort Project, Manual, May 2004.
(http://www.snort.org/docs/snort_manual.pdf)
[Estevez-Tapiador2004] J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo, "Anomaly
detection methods in wired networks: a survey and taxonomy," Computer Communications, vol. 27,
July 2004, pp. 1569-1584.
[Hofmeyer1998] S. Hofmeyer, S. Forrest, and P. D'haeseleer, "An Immunological Approach to Distributed
Network Intrusion Detection," Proceedings of First International Workshop on the Recent Advances
in Intrusion Detection (RAID'98), Louvain-la-Neuve, Belgium, September 1998.
[Hussain2003] A. Hussain, J. Heidemann, and C. Papadopoulos, "A Framework for Classifying Denial of
Service Attacks," Proceedings of ACM SIGCOMM Conference, Karlsruhe, Germany, August 2003,
pp. 99-110.
[Kemmerer2002] R. Kemmerer and G. Vigna, "Intrusion Detection: A Brief History and Overview," IEEE
Computer - Special Issue on Security and Privacy, April 2002, pp. 27-30.
[Mahoney2001] M. V. Mahoney and P. K. Chan, "PHAD: Packet Header Anomaly Detection for
Identifying Hostile Network Traffic," Florida Tech., Technical Report CS-2001-4, 2001.
[Mirkovic2004] J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense
Mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, April 2004, pp. 39-53.
[Moore2001] D. Moore, G. M. Voelker, and S. Savage, "Inferring Internet Denial-of-Service Activity,"
Proceedings of USENIX Security Symposium, Washington, DC, August 2001.
[Wang2002] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN Flooding Attacks," Proceedings of IEEE
INFOCOM 2002, 2002.

[NetSec], WS 2007/2008

15.50