TY - GEN
T1 - A serial combination of anomaly and misuse IDSes applied to HTTP traffic
AU - Tombini, Elvis
AU - Debar, Hervé
AU - Mé, Ludovic
AU - Ducassé, Mireille
PY - 2004/12/1
Y1 - 2004/12/1
N2 - Combining an "anomaly" and a "misuse" IDSes offers the advantage of separating the monitored events between normal, intrusive or unqualified classes (ie not known as an attack, but not recognize as safe either). In this article, we provide a framework to systematically reason about the combination of anomaly and misuse components. This framework applied to web servers lead us to propose a serial architecture, using a drastic anomaly component with a sensitive misuse component. This architecture provides the operator with better qualification of the detection results, raises lower amount of false alarms and unqualified events.
AB - Combining an "anomaly" and a "misuse" IDSes offers the advantage of separating the monitored events between normal, intrusive or unqualified classes (ie not known as an attack, but not recognize as safe either). In this article, we provide a framework to systematically reason about the combination of anomaly and misuse components. This framework applied to web servers lead us to propose a serial architecture, using a drastic anomaly component with a sensitive misuse component. This architecture provides the operator with better qualification of the detection results, raises lower amount of false alarms and unqualified events.
UR - https://www.scopus.com/pages/publications/21644481499
U2 - 10.1109/CSAC.2004.4
DO - 10.1109/CSAC.2004.4
M3 - Conference contribution
AN - SCOPUS:21644481499
SN - 0769522521
T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC
SP - 428
EP - 437
BT - Proceedings - 20th Annual Computer Security Applications Conference, ACSAC 2004
T2 - 20th Annual Computer Security Applications Conference, ACSAC 2004
Y2 - 6 December 2004 through 10 December 2004
ER -