TY - JOUR
T1 - A brief observation-centric analysis on anomaly-based intrusion detection
AU - Zhang, Zonghua
AU - Shen, Hong
PY - 2005
Y1 - 2005
N2 - This paper is focused on the analysis of the anomaly-based intrusion detectors' operational capabilities and drawbacks, from the perspective of their operating environments, instead of the schemes per se. Based on the similarity with the induction problem, anomaly detection is cast in a statistical framework for describing their general anticipated behaviors. Several key problems and corresponding potential solutions about the normality characterization for the observable subjects from hosts and networks are addressed respectively, together with the case studies of several representative detection models. Anomaly detectors' evaluation are also discussed briefly based on some existing achievements. Careful analysis shows that the fundamental understanding of the operating environments is the essential stage in the process of establishing an effective anomaly detection model, which therefore worth insightful exploration, especially when we face the dilemma between the detection performance and the computational cost.1
AB - This paper is focused on the analysis of the anomaly-based intrusion detectors' operational capabilities and drawbacks, from the perspective of their operating environments, instead of the schemes per se. Based on the similarity with the induction problem, anomaly detection is cast in a statistical framework for describing their general anticipated behaviors. Several key problems and corresponding potential solutions about the normality characterization for the observable subjects from hosts and networks are addressed respectively, together with the case studies of several representative detection models. Anomaly detectors' evaluation are also discussed briefly based on some existing achievements. Careful analysis shows that the fundamental understanding of the operating environments is the essential stage in the process of establishing an effective anomaly detection model, which therefore worth insightful exploration, especially when we face the dilemma between the detection performance and the computational cost.1
UR - http://www.scopus.com/inward/record.url?scp=24644478688&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-31979-5_16
DO - 10.1007/978-3-540-31979-5_16
M3 - Conference article
AN - SCOPUS:24644478688
SN - 0302-9743
VL - 3439
SP - 178
EP - 191
JO - Lecture Notes in Computer Science
JF - Lecture Notes in Computer Science
T2 - First International Conference on Information Security, Practice and Experience, ISPEC 2005
Y2 - 11 April 2005 through 14 April 2005
ER -