Tech Reports
ULCS-16-002
Temporal Data Streams for Anomaly Intrusion Detection (Extended Version)
Abstract
Intrusion detection systems (IDS) aim to protect computer systems against attacks. The detection methods employed in anomaly-based IDS are based, in particular, on monitoring networks for patterns of activity that differ from normal behaviour. Issues to be addressed with anomaly-based systems include deciding and representing what constitutes normal behaviour as well as being able to detect deviations from this efficiently in high speed networks. Here we describe an approach to anomaly-based intrusion detection utilising temporal logic and stream data processing. Temporal logic is used to specify the normality conditions which, after translation into data stream queries, are efficiently executed on streams of network packets. The proposed approach allows the concise representation of patterns of normal behaviour, possibly involving multiple steps, as well as being able to detect their violations over a high volume of data in high speed networks.
[Full Paper]For each technical report listed here, copyright and all intellectual property rights remain with the respective authors. Copyright is effective from the year of publication in each case. By downloading a file from this page, you agree to use it only for purposes of research and scholarship. Any other use of this material or storage of it in any medium or its sale or distribution in any form is expressly forbidden without prior written permission from the authors concerned.
Ashton Street, Liverpool, L69 3BX
United Kingdom
Call the department
+44 (0)151 795 4275