IDS Reading List
A collection of important intrusion detection papers
(Last update: July 2006)
Guofei Gu
Survey
General and Theoretical Background
-
Computer Security Threat Monitoring and Surveillance. Anderson (1980)
- An Intrusion-Detection Model. D. Denning. IEEE Transactions on Software Engineering, 13(2), Feb. 1987.
- Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. P. Helman and G. Liepins. IEEE Transactions on Software Engineering, 19(9), September, 1993.
- Artificial Intelligence and Intrusion
Detection: Current and Future Directions. J. Frank. In Proceedings of
the 17th National Computer Security Conference. 1994.
- The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. S. Axelsson. In Proceedings of the ACM Conference on Computer and Communication Security. November, 1999.
- A Preliminary Attempt to
Apply Detection and Estimation Theory to Intrusion Detection. Stefan
Axelsson, Technical Report No 00-4, Dept. of Computer Engineering, Chalmers
Univerity of Technology, Sweden, March 2000
- Information-Theoretic Measures for Anomaly Detection. W. Lee and D. Xiang. In Proceedings of the 2001 IEEE Symposium on Security and Privacy. May, 2001.
- "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector. K. M. C. Tan and R. A. Maxion. In IEEE Symposium on Security and Privacy (S&P '02).
[JSAC Version]
-
Toward Cost-Sensitive Modeling for Intrusion Detection and Response. W.
Lee, W. Fan, M. Miller, S. Stolfo, and E. Zadok. Journal of Computer
Security 10(1,2), 2002.
- Towards a Theory of Intrusion Detection. Giovanni Di Crescenzo, Abhrajit
Ghosh, Rajesh Talpade. ESORICS'05
- Towards an Information-Theoretic Framework for Analyzing Intrusion
Detection Systems. Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee, and
Boris Skoric. ESORICS'06
Misuse Detection Technique
Host-based Anomaly Detection Technique
-
The SRI IDES Statistical Anomaly Detector. H. S. Javitz and A. Valdes.
In Proceedings of the IEEE Symposium on Research in Security and Privacy.
1991.
-
Experiences with Tripwire: Using Integrity Checkers for Intrusion Detection.
G. H. Kim and E. H. Spafford. In USENIX Systems Administration, Networking
and Security Conference III. 1994.
- A Sense of Self for Unix
Processes. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff.
In Proceedings of the 1996 IEEE Symposium on Security and Privacy. 1996.
- Execution
Monitoring of Security-Critical Programs in Distributed Systems: A
Specification-based Approach. C. Ko, M. Ruschitzka, and K. Levitt. In
Proceedings of the 1997 IEEE Symposium on Security and Privacy. 1997.
- Intrusion Detection Using
Sequences of System Calls. S. Hofmeyr, S. Forrest, and A. Somayaji
Journal of Computer Security Vol. 6, pp. 151-180 (1998).
- Detecting Intrusion
Using System Calls: Alternative Data Models. C. Warrender, S. Forrest,
and B. Perlmutter. In Proceedings of the 1999 IEEE Symposium on Security and
Privacy. 1999.
- Automated Response
Using System-Call Delays. A. Somayaji and S. Forrest. Usenix Security
2000
-
Intrusion Detection via Static Analysis. D. Wagner and D. Dean. In
Proceedings of the 2001 IEEE Symposium on Security and Privacy. 2001.
- A Fast Automaton-Based Method for
Detecting Anomalous Program Behaviors. R. Sekar, M. Bendre, D. Dhurjati,
and P. Bollineni. In Proceedings of the 2001 IEEE Symposium on Security and
Privacy. 2001.
- Specification Based Anomaly Detection: A New Approach for Detecting Network Intrusions. R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang and S. Zhou, ACM CCS, 2002.
- Anomaly Detection Using Call Stack Information. Henry H. Feng, Oleg
Kolesnikov, Prahlad Fogla, Wenke Lee, and Weibo Gong. IEEE S&P 2003
- Efficient context-sensitive intrusion detection. Jonathon T. Giffin,
Somesh Jha, and Barton P. Miller. NDSS'04
- Formalizing sensitivity in static analysis for intrusion detection.
Henry Hanping Feng, Jonathon T. Giffin, Yong Huang, Somesh Jha, Wenke Lee,
and Barton P. Miller. IEEE S&P 2004
- Environment-sensitive intrusion detection. Jonathon T. Giffin, David
Dagon, Somesh Jha, Wenke Lee, and Barton P. Miller. RAID'05
Network-based Anomaly Detection Technique
- A Framework for Constructing Features
and Models for Intrusion Detection Systems. W. Lee and S. J. Stolfo. ACM
Transactions on Information and System Security, 3(4). 2000.
- A Signal Analysis of Network
Traffic Anomalies. Paul Barford, Jeffery Kline, David Plonka and Amos
Ron, IMW '02
- A comparative
study of anomaly detection schemes in network intrusion detection. A.
Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava & V. Kumar. Proc. SIAM Conf.
Data Mining, 2003
- Anomaly Detection of Web-based Attacks.
C. Kruegel and G. Vigna. 10th ACM Conference on Computer and Communication
Security (CCS '03)
- Service Specific Anomaly Detection
for Network Intrusion Detection. C. Krugel, T. Toth, E. Kirda, ACM Symposium
on Applied Computing, 2002
- Anomalous Payload-based Network Intrusion Detection.Ke Wang, Salvatore J. Stolfo. RAID'04
-
-
IDS Performance (high speed)
- Performance Adaptation in Real-Time Intrusion Detection Systems. Wenke
Lee, Joao B. D. Cabrera, Ashley Thomas, Niranjan Balwalli, Sunmeet Saluja, and
Yi Zhang. RAID 2002
- Sketch-based Change Detection:
Methods, Evaluation, and Applications. Balachander Krishnamurthy, Subhabrata
Sen, Yin Zhang and Yan Chen, 1st ACM/USENIX Internet Measurement Conference
(IMC '03)
- Operational Experiences with High-Volume Network Intrusion Detection. H.
Dreger, A. Feldmann, V. Paxson, and R. Sommer, ACM CCS'04
IDS architecture
-
EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances.
P. A. Porras and Peter G. Neumann. In Proceedings of the National Information
Systems Security Conference. 1997
-
An Architecture for Intrusion Detection Using Autonomous Agents. J. S.
Balasubramaniyan, J. O. Garcia-Fernandez, D. Isacoff, E. H. Spafford, and D.
Zamboni. Purdue University Technical Report. 1998.
-
The Design of GrIDS: A Graph-Based Intrusion Detection System. S. Cheung,
R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S.
Staniford, R. Yip, D. Zerkle. UC Davis Technical Report CSE-99-2. 1999.
Alert Correlation
-
Information Modeling for Intrusion Report Aggregation. R. P. Goldman, W.
Heimerdinger, S. A. Harp, C. W. Geib, V. Thomas, and R. L. Carter. In
Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX
II). 2001.
-
Probabilistic Alert Correlation. A. Valdes and K. Skinner. In Proceedings
of the 4th International Symposium on Recent Advances in Intrusion Detection
(RAID) 2001.
-
Aggregration and Correlation of Intrusion-Detection Alerts. H. Debar and
A. Wespi. In Proceedings of the 4th International Symposium on Recent Advances
in Intrusion Detection (RAID). 2001.
-
A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. P. A. Porras,
M. W. Fong, A. Valdes. In Proceedings of the 5th International Symposium on
Recent Advances in Intrusion Detection (RAID). 2002.
-
Constructing Attack Scenarios through Correlation of Intrusion Alerts. Peng
Ning, Yun Cui, Douglas S. Reeves, ACM CCS'02
-
Statistical Causality Analysis of INFOSEC Alert Data. Xinzhou Qin and Wenke
Lee, RAID'03
-
Building Attack Scenarios through Integration of Complementary Alert
Correlation Methods. Peng Ning, Dingbang Xu, Christopher G. Healey, and Robert
A. St. Amant, NDSS'04
-
Discovering Novel Attack Strategies from INFOSEC Alerts. Xinzhou Qin and Wenke
Lee. ESORICS 2004
IDS Measurement and Evaluation
-
A Methodology for Testing Intrusion Detection Systems. N. J. Puketza, K.
Zhang, M. Chung, B. Mukherjee, and R. A. Olsson. IEEE Transactions on Software
Engineering, 22(10). October, 1996.
-
Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion
Detection Evaluation. R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines,
K. P. Kendall, D. McClung, D. Weber, S. E. Webster, D. Wyschogrod, R. K.
Cunningham, and M. A. Zissman. In Proceedings of the 2000 DARPA Information
Survivability Conference and Exposition (DISCEX). 2000.
-
The 1999 DARPA Off-line Intrusion Detection Evaluation. R. P. Lippmann, J.
W. Haines, D. J. Fried, J. Korba, and K. Das. MIT Lincoln Lab Technical
Report. 2000.
-
Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA
Off-line Intrusion Detection System Evaluation as Performed by Lincoln
Laboratory. John McHugh. ACM Transactions on Information and System
Security, 3(4). November, 2000.
-
A Database of Computer Attacks for the Evaluation of Intrusion Detection
Systems. K. Kendall. Master Thesis. MIT. 1999.
-
Attack Development for Intrusion Detection Evaluation. . K. Das. B.S.
Thesis. MIT. 2000.
-
Measuring Intrusion Detection Capability: An Information-Theoretic Approach.
Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee, and Boris Skoric. ACM
ASIACCS'06
-
A Framework for the Evaluation of Intrusion Detection System. Alvaro A.
Cárdenas, John S. Baras and Karl S. Seamon. IEEE S&P 2006
IDS Evasion
- Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. T. H. Ptacek and T. N. Newsham. Technical Report. 1998.
- Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. M. Handley, C. Kreibich and V. Paxson, USENIX Security Symposium 2001.
- Mimicry Attacks on Host-Based Intrusion Detection Systems. David Wagner and Paolo Soto. ACM CCS 2002.
- Undermining an anomaly-based intrusion detection system using common exploits. K. M. C. Tan, K. S. Killourhy, and R. A. Maxion. In RAID'02.
- Hiding intrusions: From the abnormal to the normal and beyond. K. M. C. Tan, J. McHugh, and K. Killourhy. In Information Hiding: 5th International Workshop, IH 2002.
- Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. Oleg Kolesnikov, David Dagon, and Wenke Lee. In submission.
- On gray-box program tracking for anomaly detectoin. D. Gao, M. Reiter, D. Song. USENIX Security 2004.
- Automatic generation and analysis of NIDS attacks.S. Rubin, S. Jha, and B. P. Miller. ACSAC'04.
- Testing Intrusion Detection Signatures Using Mutant Exploits. G. Vigna, W. Robertson, D. Balzarotti. CCS'04
- Automating Mimicry Attacks Using Static Binary Analysis. Kruegel & Kirda,
USENIX Security'05
- Polymorphic Blending Attack. Prahlad Fogla, Monirul Sharif, Roberto
Perdisci, Oleg Kolesnikov, and Wenke Lee. USENIX Security'06
- Automated discovery of mimicry attacks. Jonathon T. Giffin, Somesh Jha,
and Barton P. Miller. RAID'06
Automatic Worm Signature Generation
- Autograph: Toward Automated, Distributed Worm Signature
Detection. Kim & Karp. USENIX Security 2004
- Automated Worm Fingerprinting. Singh et al. OSDI 2004
- honeycomb (HotNetsII)
- Shield. SIGCOMM'04
- Nemean, USENIX Security'05
- Polygraph, IEEE S&P 2005
- Towards Automatic Generation of Vulnerability-Based Signatures. David
Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha. IEEE S&P 2006
Botnet
Worm Modelling, Detection and Response
Some other reading lists