intrusion detection syste1
TRANSCRIPT
-
8/6/2019 Intrusion Detection Syste1
1/32
INTRUSION DETECTION SYSTEM
SEMINAR REPORT
Submitted by
ARUN.P.KUMAR (18385)
In partial fulfillment for the award of the degree
Of
Bachelor of Computer Applications
UNION CHRISTIAN COLLEGE
ALUVA
M.G.UNIVERSITY, KOTTAYAM
2007-2010
Internal examiner External examiner
1
-
8/6/2019 Intrusion Detection Syste1
2/32
TABLE OF CONTENTS
Page no:
1. INTRODUCTION 4
2. INTRUSION 5
2.1 Signature Based
2.2 Anomaly Based
3. INTRUSION DETECTION SYSTEM 7
3.1 Types of IDS
3.1.1 Network-Based IDS
3.1.1.1 Strengths of Network Based IDS
3.1.2 Hostbased IDS
3.1.2.1 Strengths of Host Based IDS
3.1.3 The need for both types
3.2 Implementing an IDS
3.3 Characteristics of IDS
3.4 Security Policy and IDS
4. KEY IDS PROCESSES 17
5. INFRASTRUCTURE FOR IDS AND RESPONSE 21
5.1 IDIP Concept
5.2 IDIP Application Layer Protocol
5.3 Cryptographic Requirements
5.4 Software Architecture
6. INTEGRATED SERVICE CHECKER 26
6.1Network Intrusion Detection System
6.2 System Layout
6.3 Data Collection and Analysis
2
-
8/6/2019 Intrusion Detection Syste1
3/32
7. Other type of IDS 28
7.1 System Integrity verifiers
7.2 Log File Monitors
7.3 Honey Pots
8. Conclusion 30
9. Bibliography 31
3
-
8/6/2019 Intrusion Detection Syste1
4/32
1. INTRODUCTION
Intrusion detection is very important aspects of protecting the cyber
infrastructure from terrorist attack or from hackers. Intrusion prevention
technique such as firewall, filtering router policies fails to stop much type of
attacks. Therefore, no matter how secure you try to make your system.
Intrusion still happens and so they must be detected. Intrusion detection
systems are becoming an important part of your computer system, and
security. An intrusion detection system is used to detect several types of
malicious behaviors that can compromise the security and trust of a
computer system. This includes network attacks against vulnerable services,
data driven attacks on applications, host based attacks such as privilege
escalation, unauthorized logins and access to sensitive files, and malware
(viruses, trojan horses and worms). An IDS can be composed of several
components: Sensors which generate security events, a Console to monitor
events and alerts and control the sensors, and a central Engine that records
events logged by the sensors in a database and uses a system of rules to
generate alerts from security events received. There are several ways to
categorize an IDS depending on the type and location of the sensors and the
methodology used by the engine to generate alerts. In many simple IDS
implementations all three components are combined in a single device or
appliance. Intrusion detection can allow for the prevention of certainty,
attacks severity relative to different type of attack and vulnerability of
components under attack the response may be kill the connection, install
filtering rules, and disable user account.
4
-
8/6/2019 Intrusion Detection Syste1
5/32
2. INTRUSION
Any set of actions that attempts to compromise the integrity, confidentiality,
and availability of resources are that can damage your system and may
access the confidential data. Any abuse might have quite different view
related to attaching: what is the aim (objective) of attacking? What damages
or other consequences or likely to be done? Any intruder can take the
advantages of weak point of your system or vulnerabilities exist in targeted
(your) system. Intrusion means some one attempting to break or misuse the
system.
Detection Approaches.
Within these types of IDS, two approaches can be adopted for analyzing
malicious activities to detect attacks. There are advantages and
disadvantages for both the approaches but the most commonly used method
is signature based intrusion system.
2.1 Signature Based
Signature-based IDS work by monitoring packets in the network and
comparing them with pre-defined attack signatures in a database. The
signature detection records each pattern of events as a separate attack
signature.
They are used for detecting attacks whilst minimizing the number of false
alarms. Signature based detection systems also help security managers to
track security problems in their systems. Therefore, signature based
intrusion detection system detects malware the same way as antivirus
softwares detect viruses and worms.Identifies intrusions by
5
-
8/6/2019 Intrusion Detection Syste1
6/32
watching for patterns of traffic or application data presumed to be
malicious.
These type of systems are presumed to be able to detect only 'known'
attacks.
Catch the intrusions in terms of the characteristics of known attacks or
system vulnerabilities.
2.2Anomaly Based
Anomaly-based IDS work by analyzing any unusual behavior of the host in
the network. The traffic patterns for a normal activity are different from thepatterns of an attack. The anomaly-based category of IDS monitors the
traffic and compares it with a known baseline. This approach is to measure a
"baseline" of such stats as CPU utilization, disk activity, user logins, file
activity, and so forth. Then, the system can trigger when there is a deviation
from this baseline. The benefit of this approach is that it can detect the
anomalies without having to understand the underlying
cause behind the anomalies.
Can detect insider attacks or account theft very easily.
Difficult for an attacker to know with certainty what activity he
can do without setting off an alarm.
6
-
8/6/2019 Intrusion Detection Syste1
7/32
3. INTRUSION DETECTION SYSTEM
In order to properly response to an asset-attack it must first be detected and
then all of its characteristics uncovered and documented. Once the attack or
misuse recognized the response can be automatic or manual and can be
include termination of connection, or host of response aimed at
apprehending the attacker. Any technique such as firewalls, identification,
authentication procedures and encryption are not design with any of above
security issues. This particular security issues are the province of Intrusion
Detection System.
3.1 Types of IDS
For general purpose, the Intrusion Detection System (IDS) has evolved into
two major architectures. According to Anomaly or signature, scope:
3.1.1 Network-based intrusion detection system
Network-based of intrusion detection systems work by analyzing and
capturing the packets in a network. This type of IDS monitors traffic
patterns and alert the system administrator about potential malicious
activity. The sensors used in this type of IDS usually run in stealth mode,
hiding their
7
-
8/6/2019 Intrusion Detection Syste1
8/32
presence and avoiding discovery of their presence by attackers. Network
intrusion detection system monitors all the inbound and outbound packets to
and from the devices in the network.
3.1.1.1 Strengths of Networked Based IDS
The network-based IDS has many strengths due to its real-time
packet capture and analysis functionality that cannot easily performed with a
host-based IDS alone.
Below are some its strengths that make network-based IDS clearly a needed
component to any security systems and policy.
1. Cost of Ownership
The network-based IDS allow strategic deployment at critical access points
to view network traffic destined to numerous systems that need to be
protected. It does not require software to be loaded and managed on a
variety of hosts as does the host-based IDS. Being fewer detection
points are required, it makes the cost of management more effective for an
enterprise environment.
2. Packet Analysis
The network-based IDS examine all packet headers for signs of malicious
and suspicious activity. Many of todays IP based denial of service (DOS)
attacks are detected by looking at the packet headers as they travel across a
network.For example; a
8
-
8/6/2019 Intrusion Detection Syste1
9/32
LAND attack is a forged packet that has both source and destination IP
addresses and source and destination ports being the same as the target host
machine. The forged packet which tells the target to open a connection with
itself and can cause target to operate slowly or crash. This type of attack can
quickly be identified and responded to by a Network-based IDS being it is
looking packet stream in real-time. Also, attacks that use fragmented packets
like Teardrop can also be detected with packet level analysis. A host based
IDS cannot detect these types of attacks. In addition to looking at the packet
headers, network-based IDS can also investigate the content of the payload
looking for specific commands or syntax used with a variety of attacks.
Many of these commands are indicative of an attack, whether successful or
not. Example: An attacker probing for the new Back Orifice exploit on
systems that are not infected with the Back Orifice software can be detected
by examining the packet payload. Host-based IDS would not be able to
detect these types of payload embedded attacks.
3. Evidence Removal
The network-based IDS uses live network traffic for its attack detection in
real-time and a hacker cannot remove this evidence once captured. This
captured data not only has the attack in it but information that may help lead
to his/her identification. This captured network traffic may also be needed as
evidence leading to prosecution. One problem sometimes experienced with
host-based IDS is that hackers understand most of the audit log files and that
is usually the first place they go to cover their tracks and remove or damage
this information.
4. Real-Time Detection and Response
9
-
8/6/2019 Intrusion Detection Syste1
10/32
The network-based IDS detects malicious and suspicious attacks as they are
occurring in true real-time and provides faster response and notification to
the attack at hand. Example: A hacker initiating a network based denial of
service (DOS) based on TCP can be instantly stopped by having the IDS
send a TCP reset to terminate the attack before it crashes or damages a
targeted host. Many times with host-based IDS, the notification from a
particular log or event may be detected after the damage is already done or
not at all if the systems have crashed. Having real-time notification allows
you to quickly react in a desired fashion. Some may want to allow further
penetration so they can gather more information in a surveillance mode
while other may opt for immediate termination of the attack.
5. Malicious Intent Detection
A network-based IDS can also be very valuable in determining malicious
intent. If network-based IDS is placed outside of detection Firewall it can
detect attacks intended for resources behind the Firewall, although the
firewall may be rejecting these attack attempts. A host-based IDS could not
show these rejected attacks because they never hit the Host but are important
to know the frequency and types of attacks being thrown at your network.
6. Complement and Verification
The network-based IDS can also complement existing components of your
implemented security policy. In the case of encryption, the network-based
IDS although it may not be able to read all encrypted traffic, it can be used
to detect any not encrypted traffic that may be present of on your network.
In
10
-
8/6/2019 Intrusion Detection Syste1
11/32
the case of a Firewall, the network-based IDS can help verify if it is truly
keeping out certain types of traffic and addresses that it should be rejecting
required components will greatly enhance your resistance to attack. Below is
a quick graphical representation that helps represent the independent
network and host-based IDS scenarios and the benefit of implementing both
a Network and a Host Based Solution.
7. Operating System Independence
The network-based IDS is not dependent on the host operating system for its
detection source, as is the host-based IDS solution. All of the log
information used with a host- based solution requires the operating system
functioning properly and not compromised in any way.
3.1.2Host-based intrusion detection system
Host-based intrusion detection works by collecting information from
individual computers by detecting and monitoring the activities of an attack
on an operating system by collecting data from the host computer. Host
based detection only monitors inbound and outbound packets from the
system device. They use two sources of information obtained from operating
system audit trails and system logs. Operating system audit trails are
obtained from the kernel of the operating system and system logs give a
description about the system activities on the network.
3.1.2.1Strengths of Host-Based IDS
11
-
8/6/2019 Intrusion Detection Syste1
12/32
Being the Host Based IDS resides on specific Hosts and uses the
information
provided by the operating system; it adds capabilities not found in the
Network Based IDS. Some of the major strengths include:
1. Attack Verification
Being the Host Based IDS uses logs containing events that have actually
occurred, it has the advantage of knowing if the actual attack or exploit was
successful. This type of detection has been deemed as more accurate and
less prone to false positives. Many Network Based attacks can trigger
numerous false positives because of normal traffic looking very close to
malicious
traffic. In addition it is hard for a Network Based IDS to know whether or
not an attack was successful or not.
2. System Specific Activity
The Host Based IDS can quickly monitor user and file access activity.
Anytime a Login or Logoff procedure is executed it is logged and the host-
based IDS can monitor this based on its current policy. In addition it can
also monitor various file access and also be notified when specific files are
open or closed. This type of system activity cannot be monitored or detected
by Network Based IDS being it may not necessarily propagate traffic on the
network. Example: Someone walking up to a Keyboard and open a non-
shared file. The host-based IDS can also monitor activities that should and
can only be executed from an administrator. Anytime user accounts are
added, deleted, or modified this information is logged and can be detected as
12
-
8/6/2019 Intrusion Detection Syste1
13/32
soon as the change is executed. Also if any audit policy changes are made
affecting what the systems logs and does not log the Host Based Ids will
immediately pick up this activity. A network-based ID also could not detect
these types of administrator changes.
3. Encrypted and Switched Environments
Being the host-based IDS software resides on various hosts throughout an
enterprise it can overcome some of the challenges faced by network-based
IDS. In a purely switched environment it can be challenging to deploy a
network- based IDS due to the nature of switched networks having
numerous separate collision domains or segments. It is sometimes hard to
get the required coverage being the network-based IDS can only reside on
segment at a time and numerous ones need to be protected. Traffic
mirroring and Span ports on switches have helped but still present
challenges getting enough coverage and have limitations. The host-based
IDS can provide greater visibility into a purely switched environment by
residing on as many critical hosts as needed. As for Encryption, there are
certain types of encryption that can also present a challenge to the network-
based IDS depending where the encryption resides within the protocol stack
it may leave the network IDS blind to certain attacks. The host-based IDS do
not have this problem. If the host in question has log-based analysis the
encryption will have no impact on what goes in to the log files. Stack-Based
IDS allows us to monitor the packets as they traverse the TCP/IP stack, this
allows the IDS to examine the packets before the OS or the Application see
the packets, but after the TCP/IP stack has decrypted the packets.
4. Monitoring Key Components
13
-
8/6/2019 Intrusion Detection Syste1
14/32
-
8/6/2019 Intrusion Detection Syste1
15/32
-
8/6/2019 Intrusion Detection Syste1
16/32
Fig 3.1 Intruder and Victim
3.2Implementing an Intrusion Detection System
An effective IDS does not stand alone. It must be supported by a number
of other systems. Among the things to consider, in addition to the IDS, in
setting up a good IDS for the company network are:
Operating Systems: A good operating system that has logging and auditing
features. Most of the modern operating systems including Windows, UNIX,
and other variants of Unix have these features. These features can be used to
monitor security critical resources.
Services: All applications on servers such as Web servers, e-mail servers,
and databases should include logging/auditing features as well.
Firewalls: A good firewall should have some network intrusion detection
capabilities.
Network management platform: Whenever network management services
such as Open View are used, make sure that they do have tools to help in
setting up alerts on suspicious activity.
3.3Characteristics of IDS
16
-
8/6/2019 Intrusion Detection Syste1
17/32
It must be able to detect the intruder in your system and legitimate user
misusing system resources. It must run continually and fault tolerant. It must
resist subversion of intruder and use self-diagnosis to determine if intrusion
detection system has been compromised. Every system has different has
different usage patterns and defense mechanism should adapt easily to these
patterns.
3.4 Security policy and IDS
What is permitted and what is denied on system it must be defined. System
must be available for use and data must be available in readable form.
IDS must be able to verify the identity of user and user should be able to
verify the identity of system. Private data should be known only to owner or
chosen few.
4.KEY IDS PROCESSES
17
-
8/6/2019 Intrusion Detection Syste1
18/32
Process model for efficient intrusion detection systems
The IDS process model (Figure 1) is underpinned by the data sources it has
access to. The data sources are important because this data is used to detect
intrusions into the network. These data sources can be obtained from
different levels of the system. Some of the data sources from which
intrusions can be found are (Bace &Mell, 2007):
Auditing the system resources by checking the audit log file of the
operating system which includes system events and activities. Some of the
information such as file access and method of access attempts may also be
useful.
Recording some of the information such as system parameters, memory
use and network connections are useful for detecting intrusions.
Network management logs give information about device status and
transition.
18
-
8/6/2019 Intrusion Detection Syste1
19/32
In order to implement, and more importantly maintain, an effective IDS it is
necessary to identify and describe the key processes involved. Ten key
processes are described here.
1.Activity monitoring and automation. This is the process for monitoring all
user and system activities in a network. The system and network
configuration are checked for any intrusions. The main two tasks of active
monitoring are to detect system and network intrusions, and to detect
abnormal attack patterns and user policy violations (White, 2003). The main
purpose of activity monitoring is to alert the administrator of the problems
caused by crashed servers, overload, malware infection and failed
connections.
2. Configuration check. This check is done to identify the system and
network configuration. It checks whether the systems and network have any
detectable vulnerabilities. Configuration checking also looks for hosts that
do not belong to the network. All machines in the network should be
checked periodically for malware attack. There are also different types of
sniffing tools that can be used in this configuration checking process.
3. File authorizations. File authorization checking identifies file, user and
group authorizations modifications. One possible attack vector is to modify
the user and group authorization allowing various attacks on the network.
One way of checking the file settings is to place an expected file setting
outside the network and then comparing it with the original file settings.
4. Log file examination. Log files record actions and events that take place
on a network. Log files can be obtained from various devices such as servers
and routers. They are mainly used for checking who has accessed the
network and at what time and from which location.
19
-
8/6/2019 Intrusion Detection Syste1
20/32
-
8/6/2019 Intrusion Detection Syste1
21/32
9. Response. Response is the action that a system takes when detecting
intrusions on a network. It is most usefully employed when presenting the
event analysis results using a graphical user interface. There are
several methods to alert administrators of events such as via email or pagers
(Saiglobal, 2004). A system administrator can then ascertain the severity of
the response and make decisions on the most appropriate countermeasures.
In some IDS, the reaction-response is also able to perform preventive
actions such as locking the account that was attacked and therefore reducing
additional potential damage to the system.
10. Data storage. Data storage is required for storing all detected activities,
audit logs and other relevant information in a database. This database will
contain collection of attacks, unusual behaviour patterns and other attacks
that can be used for future detection of intrusions. It can also store the
detected malicious activity for subsequent use as evidence.
5.INFRASTRUCTURE FOR IDS AND RESPONSE
When Intrusion detection system is applied to the large Internet worked
environments or information infrastructures, in such case it has some
important limitations
1) IDS detect local intrusion symptoms and can only react locally (e.g. by
reconfiguring local boundary controller and hosts). Because attacks may
cross many network boundaries, and response local to the target cant
identify or mitigate the source of attack, which may be several network
removed.
21
-
8/6/2019 Intrusion Detection Syste1
22/32
2) Even if IDS were capable of communicating with remote boundary
counter near attacker, there is no common language for remotely instructing
them to block selected
traffic. It is also unlikely that Intrusion detection system would know
enough about all such device to be able reconfigure them remotely using
low level, device-specific commands.
3) If Intrusion is detected or its symptoms is detected in different areas of an
internetworked environment by different Intrusion detection system, the
current technologies lacks the infrastructure and protocol for
1. Pooling this information to allow correlation and
2. Developments and promulgation of coordinated uniform response through
environment. The technology Intruder Detection and Isolation Protocol
(IDIP) overcomes this drawback.
This protocol is integrated with some variety of boundary control devices,
host and Intrusion detection system for blocking and tracing of Intrusion
across Network boundaries.
5.1 IDIP Concept
IDIP is an application layer protocol that coordinates Intrusion tracking and
Isolation IDP system are organized into IDIP communities. Each IDIP
community is an administrative domain, with intrusion detection and
response functions managed by component called Discovery coordinator
communities are further organized into IDIP neighborhoods. These
neighborhood are collection of components between them Boundary control
device are members of multiple IDIP neighborhoods. See Fig 5.1
Objective of IDIP is to share the information necessary to enable intrusion
tracking and containment.
22
-
8/6/2019 Intrusion Detection Syste1
23/32
When attack traverse IDIP protected network each IDIP node along
the path is responsible for auditory data based system. When
intrusion system is detected then all neighbors are reported.
Each IDIP node makes local decision as to what type of response is
given is depends on the attack type, attack certainty, attacks severity
relative to two type of attack and vulnerability of components under
attack the response may be kill the connection, install filtering rules,
disable user account.
23
-
8/6/2019 Intrusion Detection Syste1
24/32
Fig 5.1 IDIP Communities
Each IDIP nodes send copy of attack report along with local response the
Discovery coordinator collect all report gain better over all picture of
situation and also issue response directive back to individual nodes to either
remove an unnecessary response (e.g. Firewall filtering rule) Or odd
response like firewall filtering with alternate attack path.Host mainly also participate in IDIP system, Host can provide more fine
grained responses. As they can trace Intrusion back to the process and the
user initiating Intrusion from local hosts.
If intruder-performing attack after hopping through multiple Hosts IDIP
enabled hosts allow the Intrusion to be traced back through these hosts,
which is not possible if only boundary controller participate in IDIP system.
5.2 IDIP Application Layer Protocol
IDIP is organized into two primary protocol layers: The IDIP application
layer and IDIP message layer.
The application layer protocol accomplishes intrusion tracking and
containment through three major messages type 1.Trace 2.Report
3.Discovery coordinator directive
IDIP trace request message is sent, when events sequence is detected that is
determined to be sufficient intrusive to response which may be trace and
block lutes. This message includes description of event and connection that
24
-
8/6/2019 Intrusion Detection Syste1
25/32
used by intruder. This information is used by each IDIP node that receive
the trace request to determine if the attack passed through node. The
description may be needed to modify for this protocol supports translation
record to end of trace message. In trace message, Blocking can be inserted
for limited time or until system administrator reverse the action. For this
IDIP monitor the clock to determine when to remove the blocking. An IDIP
report is simply
copy of trace message that is sent to the Discovery coordinator by each
component that receive message. Once the Discovery coordinator has
determined an optimal response to sends directive to node thats require
altering response. Discovery coordinator directive has two types
1. Undo message- which request that reverse the previously taken action by
IDIP, which may be open service for blocked at firewall.
2. Do message- To take another action like extend duration of blocking rule
to support communication between the varied IDIP components require
flexible and extensible long.
The IDIP uses common Intrusion specification language (CISL) developed
by common Intrusion between framework (CIDF).
5.3 Cryptographic Requirements
Basic requirement for IDIP cryptographies are:
1. Minimal impact on IDIP message size, as each IDIP message must fit
within one UDP data gram, which is 64 Kilobytes.
2. Availability on multiple platforms, including salaries, os/2, Linux,
Windows NT and integration of each.
25
-
8/6/2019 Intrusion Detection Syste1
26/32
5.4 Software Architecture
To primary objectives for IDIP software architecture is
1. Easy of integration with various components.
2. Flexibility in modifying the generic component behavior.
6. INTEGRATED SERVICE CHECKER
6.1 Network Intrusion Detection System
There are several ways to do filtering for NIDS alerts which is needed due to
that NIDS produce lot of false positive alerts as it can not have usually no
way of knowing if they attack actually succeeded or failed. So additional
elements should be added on the top of NIDS system to check the targeted
host, which is integrated service checker (ISC) many current NIDS system
26
-
8/6/2019 Intrusion Detection Syste1
27/32
are unable to test the remote operating system due to which more false
positive alerts are produced
6.2 System Layout
Sensors are running on operating system (Red hat LINUX system) and
NID element is the short system. Sensors are placed in such a way that it can
see all outgoing and incoming traffic from network
6.3 Data Collection and Analysis
Data collection set up so that it cannot interface with data collected. This is
achieved by setting the interface is such mode with operating system that
O.S. cannot send any packet. For collecting data fiber link on gigabyte speed
is used.
However, this short system rule can still lead to false.A possibility, when it
records OFF site web traffic and the string is matched for some reason. The
checker system is needed especially when it is identified what attacker is
looking for and record IP address of the hackers. After that we may see
some IP address doing buffer overflow attack again certain ports and
services at this point Vulnerability checker is to check hosts which are
intruder tried to exploit.NIDS system integrated with automatic checking
could be included in our security operations and can be used as basis for
follow up. This set up
enables the IDS to smarter and reduced number of false positive alerts.
27
-
8/6/2019 Intrusion Detection Syste1
28/32
7.Other Types of Intrusion Detection Systems
Although NIDS and HIDS are the most widely used tools in intrusion
detection, there are others that are less used but more targeting and,
therefore, more specialized.
Because many of these tools are so specialized, many are still not considered
as being intrusion detection systems but rather intrusion detection add-ons or
tools.
28
-
8/6/2019 Intrusion Detection Syste1
29/32
7.1System Integrity Verifiers (SIVs)
SIVs monitor critical files in a system, such as system files, to find whether
an intruder has changed them. They can also detect other system
components data; for example, they detect when a normal user somehow
acquires root/administrator level privileges. In addition, they also monitor
system registries in order to find well known signatures.
7.2Log File Monitors (LFM)
LFMs first create a record of log files generated by network services. Then
they monitor this record, just like NIDS, looking for system trends,
tendencies, and patterns in the log files that would suggest an intruder is
attacking.
7.3Honey pots
A honeypot is a system designed to look like something that an intruder can
hack. They are built for many purposes but the overriding one is to deceive
attackers and learn about their tools and methods.
Honeypots are also add-on/tools that are not strictly sniffer-based intrusion
detection systems like HIDS and NIDS. However, they are good deception
systems that protect the network in much the same way as HIDS and
NIDS.
29
-
8/6/2019 Intrusion Detection Syste1
30/32
-
8/6/2019 Intrusion Detection Syste1
31/32
by logging events, gathering information about network activity, detecting
potential unauthorized intrusions and attacks, preventing actions using
blocking and alerting the systems administrator of potential adverse
intrusion events.it is beginning to assume enormous Importance in todays
computing environment. Enormous growth of Internet and the lack of truly
secure system makes it an important and pertinent field of research
9. BIBILIOGRAPHY
1. Adams, D. G. (1996, 2-4 Oct. 1996). Operational tips for improving
intrusion detection system performance.
Paper presented at the Security Technology, 1996. 30th Annual 1996
International Carnahan Conference, Lexington, KY.
2. Axelsson, S,Research in Intrusion-Detection Systems: A Survey, 1999
3. Pietraszek, T. and Tanner A.(2005), Data mining and machine learning -
31
-
8/6/2019 Intrusion Detection Syste1
32/32
Towards reducing false positives in intrusion detection Information
security technical report [1363-4127] 10(3) pp. 169-183