IDS Reading List

A collection of important intrusion detection papers (Last update: July 2006)

Guofei Gu

Survey

• Network Intrusion Detection. B. Mukherjee, L. T. Heberlein, and K. N. Levitt. IEEE Network, May/June, 1994.
• Research in Intrusion Detection Systems: A Survey. S. Axelsson. Technical Report. 1999.
• A Revised Taxonomy for Intrusion-Detection Systems. H. Debar, M. Dacier, and A. Wepsi. IBM Research Report. 1999.
• Data Mining Methods for Network Intrusion Detection. S Terry Brugger. Technical Report. 2004

General and Theoretical Background

• Computer Security Threat Monitoring and Surveillance. Anderson (1980)
• An Intrusion-Detection Model. D. Denning. IEEE Transactions on Software Engineering, 13(2), Feb. 1987.
• Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. P. Helman and G. Liepins. IEEE Transactions on Software Engineering, 19(9), September, 1993.
• Artificial Intelligence and Intrusion Detection: Current and Future Directions. J. Frank. In Proceedings of the 17th National Computer Security Conference. 1994.
• The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. S. Axelsson. In Proceedings of the ACM Conference on Computer and Communication Security. November, 1999.
• A Preliminary Attempt to Apply Detection and Estimation Theory to Intrusion Detection. Stefan Axelsson, Technical Report No 00-4, Dept. of Computer Engineering, Chalmers Univerity of Technology, Sweden, March 2000
• Information-Theoretic Measures for Anomaly Detection. W. Lee and D. Xiang. In Proceedings of the 2001 IEEE Symposium on Security and Privacy. May, 2001.
• "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector. K. M. C. Tan and R. A. Maxion. In IEEE Symposium on Security and Privacy (S&P '02). [JSAC Version]
• Toward Cost-Sensitive Modeling for Intrusion Detection and Response. W. Lee, W. Fan, M. Miller, S. Stolfo, and E. Zadok. Journal of Computer Security 10(1,2), 2002.
• Towards a Theory of Intrusion Detection. Giovanni Di Crescenzo, Abhrajit Ghosh, Rajesh Talpade. ESORICS'05
• Towards an Information-Theoretic Framework for Analyzing Intrusion Detection Systems. Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee, and Boris Skoric. ESORICS'06

Misuse Detection Technique

• An Application of Pattern Matching in Intrusion Detection. S. Kumar and E. H. Spafford. Purdue University Technical Report CSD-TR-94-013. 1994
• State Transition Analysis: A Rule-Based Intrusion Detection Approach. K. Ilgun, R. A. Kemmerer, and P. A. Porras. IEEE Transactions on Software Engineering, 21(3). March, 1995.
• Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST) . U. Lindqvist and P. A. Porras. In Proceedings of the 1999 IEEE Symposium on Research in Security and Privacy. 1999.
• Snort - Lightweight Intrusion Detection for Networks. Martin Roesch. USENIX LISA'99
• Bro: A System for Detecting Network Intruders in Real-Time, V. Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999

Host-based Anomaly Detection Technique

• The SRI IDES Statistical Anomaly Detector. H. S. Javitz and A. Valdes. In Proceedings of the IEEE Symposium on Research in Security and Privacy. 1991.
• Experiences with Tripwire: Using Integrity Checkers for Intrusion Detection. G. H. Kim and E. H. Spafford. In USENIX Systems Administration, Networking and Security Conference III. 1994.
• A Sense of Self for Unix Processes. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. In Proceedings of the 1996 IEEE Symposium on Security and Privacy. 1996.
•  Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-based Approach. C. Ko, M. Ruschitzka, and K. Levitt. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. 1997.
• Intrusion Detection Using Sequences of System Calls.  S. Hofmeyr, S. Forrest, and A. Somayaji Journal of Computer Security Vol. 6, pp. 151-180 (1998).
• Detecting Intrusion Using System Calls: Alternative Data Models. C. Warrender, S. Forrest, and B. Perlmutter. In Proceedings of the 1999 IEEE Symposium on Security and Privacy. 1999.
• Automated Response Using System-Call Delays. A. Somayaji and S. Forrest. Usenix Security 2000
• Intrusion Detection via Static Analysis. D. Wagner and D. Dean. In Proceedings of the 2001 IEEE Symposium on Security and Privacy. 2001.
• A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. In Proceedings of the 2001 IEEE Symposium on Security and Privacy. 2001.
• Specification Based Anomaly Detection: A New Approach for Detecting Network Intrusions. R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang and S. Zhou, ACM CCS, 2002.
• Anomaly Detection Using Call Stack Information. Henry H. Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, and Weibo Gong. IEEE S&P 2003
• Efficient context-sensitive intrusion detection. Jonathon T. Giffin, Somesh Jha, and Barton P. Miller. NDSS'04
• Formalizing sensitivity in static analysis for intrusion detection. Henry Hanping Feng, Jonathon T. Giffin, Yong Huang, Somesh Jha, Wenke Lee, and Barton P. Miller. IEEE S&P 2004
• Environment-sensitive intrusion detection. Jonathon T. Giffin, David Dagon, Somesh Jha, Wenke Lee, and Barton P. Miller. RAID'05

Network-based Anomaly Detection Technique

• A Framework for Constructing Features and Models for Intrusion Detection Systems. W. Lee and S. J. Stolfo. ACM Transactions on Information and System Security, 3(4). 2000.
• A Signal Analysis of Network Traffic Anomalies. Paul Barford, Jeffery Kline, David Plonka and Amos Ron, IMW '02
• A comparative study of anomaly detection schemes in network intrusion detection. A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava & V. Kumar. Proc. SIAM Conf. Data Mining, 2003
• Anomaly Detection of Web-based Attacks. C. Kruegel and G. Vigna. 10th ACM Conference on Computer and Communication Security (CCS '03)
• Service Specific Anomaly Detection for Network Intrusion Detection. C. Krugel, T. Toth, E. Kirda, ACM Symposium on Applied Computing, 2002
• Anomalous Payload-based Network Intrusion Detection.Ke Wang, Salvatore J. Stolfo. RAID'04
•  
•  

IDS Performance (high speed)

• Performance Adaptation in Real-Time Intrusion Detection Systems. Wenke Lee, Joao B. D. Cabrera, Ashley Thomas, Niranjan Balwalli, Sunmeet Saluja, and Yi Zhang. RAID 2002
• Sketch-based Change Detection: Methods, Evaluation, and Applications. Balachander Krishnamurthy, Subhabrata Sen, Yin Zhang and Yan Chen, 1st ACM/USENIX Internet Measurement Conference (IMC '03)
• Operational Experiences with High-Volume Network Intrusion Detection. H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, ACM CCS'04

IDS architecture

• EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. P. A. Porras and Peter G. Neumann. In Proceedings of the National Information Systems Security Conference. 1997
• An Architecture for Intrusion Detection Using Autonomous Agents. J. S. Balasubramaniyan, J. O. Garcia-Fernandez, D. Isacoff, E. H. Spafford, and D. Zamboni. Purdue University Technical Report. 1998.
• The Design of GrIDS: A Graph-Based Intrusion Detection System. S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford, R. Yip, D. Zerkle. UC Davis Technical Report CSE-99-2. 1999.

 Alert Correlation

• Information Modeling for Intrusion Report Aggregation. R. P. Goldman, W. Heimerdinger, S. A. Harp, C. W. Geib, V. Thomas, and R. L. Carter. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX II). 2001.
• Probabilistic Alert Correlation. A. Valdes and K. Skinner. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID) 2001.
• Aggregration and Correlation of Intrusion-Detection Alerts. H. Debar and A. Wespi. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID). 2001.
• A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. P. A. Porras, M. W. Fong, A. Valdes. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID). 2002.
• Constructing Attack Scenarios through Correlation of Intrusion Alerts. Peng Ning, Yun Cui, Douglas S. Reeves, ACM CCS'02
• Statistical Causality Analysis of INFOSEC Alert Data. Xinzhou Qin and Wenke Lee, RAID'03
• Building Attack Scenarios through Integration of Complementary Alert Correlation Methods. Peng Ning, Dingbang Xu, Christopher G. Healey, and Robert A. St. Amant, NDSS'04
• Discovering Novel Attack Strategies from INFOSEC Alerts. Xinzhou Qin and Wenke Lee. ESORICS 2004

IDS Measurement and Evaluation

• A Methodology for Testing Intrusion Detection Systems. N. J. Puketza, K. Zhang, M. Chung, B. Mukherjee, and R. A. Olsson. IEEE Transactions on Software Engineering, 22(10). October, 1996.
• Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines, K. P. Kendall, D. McClung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX). 2000.
• The 1999 DARPA Off-line Intrusion Detection Evaluation. R. P. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das. MIT Lincoln Lab Technical Report. 2000.
• Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory. John McHugh. ACM Transactions on Information and System Security, 3(4). November, 2000.
• A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. K. Kendall. Master Thesis. MIT. 1999.
• Attack Development for Intrusion Detection Evaluation. . K. Das. B.S. Thesis. MIT. 2000.
• Measuring Intrusion Detection Capability: An Information-Theoretic Approach. Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee, and Boris Skoric. ACM ASIACCS'06
• A Framework for the Evaluation of Intrusion Detection System. Alvaro A. Cárdenas, John S. Baras and Karl S. Seamon. IEEE S&P 2006

IDS Evasion

• Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. T. H. Ptacek and T. N. Newsham. Technical Report. 1998.
• Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. M. Handley, C. Kreibich and V. Paxson, USENIX Security Symposium 2001.
• Mimicry Attacks on Host-Based Intrusion Detection Systems. David Wagner and Paolo Soto. ACM CCS 2002.
• Undermining an anomaly-based intrusion detection system using common exploits. K. M. C. Tan, K. S. Killourhy, and R. A. Maxion. In RAID'02.
• Hiding intrusions: From the abnormal to the normal and beyond. K. M. C. Tan, J. McHugh, and K. Killourhy. In Information Hiding: 5th International Workshop, IH 2002.
• Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. Oleg Kolesnikov, David Dagon, and Wenke Lee. In submission.
• On gray-box program tracking for anomaly detectoin. D. Gao, M. Reiter, D. Song. USENIX Security 2004.
• Automatic generation and analysis of NIDS attacks.S. Rubin, S. Jha, and B. P. Miller. ACSAC'04.
• Testing Intrusion Detection Signatures Using Mutant Exploits. G. Vigna, W. Robertson, D. Balzarotti. CCS'04
• Automating Mimicry Attacks Using Static Binary Analysis. Kruegel & Kirda, USENIX Security'05
• Polymorphic Blending Attack. Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov, and Wenke Lee. USENIX Security'06
• Automated discovery of mimicry attacks. Jonathon T. Giffin, Somesh Jha, and Barton P. Miller. RAID'06

Automatic Worm Signature Generation

• Autograph: Toward Automated, Distributed Worm Signature Detection. Kim & Karp. USENIX Security 2004
• Automated Worm Fingerprinting. Singh et al. OSDI 2004
• honeycomb (HotNetsII)
• Shield. SIGCOMM'04
• Nemean, USENIX Security'05
• Polygraph, IEEE S&P 2005
• Towards Automatic Generation of Vulnerability-Based Signatures. David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha. IEEE S&P 2006

• to be added

Worm Modelling, Detection and Response

• A worm reading list

Some other reading lists

• Wenke Lee's IDS reading list
• Philip Chan's list
• Ke Wang's list