Titlebook: Recent Advances in Intrusion Detection; 5th International Sy Andreas Wespi,Giovanni Vigna,Luca Deri Conference proceedings 2002 Springer-Ve

漂浮

Undermining an Anomaly-Based Intrusion Detection System Using Common Exploitssses of an anomaly-based intrusion detector, and shows how an attacker can manipulate common attacks to exploit those weaknesses. The paper explores the implications of this threat, and suggests possible improvements for existing and future anomaly-based intrusion detection systems.

BRIBE

A Mission-Impact-Based Approach to INFOSEC Alarm Correlationact Intrusion Report Correlation System, or M-Correlator. M-Correlator is intended to provide analysts (at all experience levels) a powerful capability to automatically fuse together and isolate those INFOSEC alerts that represent the greatest threat to the health and security of their networks.

Interim

M2D2: A Formal Data Model for IDS Alert Correlationsly specified using the formal definition of M2D2. As opposed to already published correlation methods, these examples use more than the events generated by security tools; they make use of many concepts formalized in M2D2.

密码

Platelet

弄脏

Performance Adaptation in Real-Time Intrusion Detection Systems and cost-benefit analysis. The back-end performs scenario (or trend) analysis to recognize on-going attack sequences, so that the predictions of the likely . attacks can be used to pro-actively and optimally configure the IDS.

Gobble

Detecting Malicious Software by Monitoring Anomalous Windows Registry Accessesdel is used to check each access to the registry in real time to determine whether or not the behavior is abnormal and (possibly) corresponds to an attack. The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms

泄露

Introducing Reference Flow Control for Detecting Intrusion Symptoms at the OS Leveluence of another, in order to detect that kind of attacks. We propose a proof-of-concept application to a Unix system and show its ability to detect novel attack scenarii that seek the same intrusion goals.

玛瑙

Detecting Long Connection Chains of Interactive Terminal Sessionsgy for detecting suspicious remote sessions, used as part of a long connection chain. Interactive terminal sessions behave differently on long chains than on direct connections. The time gap between a client request and the server delayed acknowledgment estimates the round-trip time to the nearest s

联合

Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Mre is a growing literature on ways to detect that an interactive connection into a site and another outbound from the site give evidence of such a “stepping stone.” This has been done based on monitoring the access link connecting the site to the Internet (Eg. [.,., .]). The earliest work was based