On the symbiosis of specification-based and anomaly-based detection

As the number of attacks on computer systems increases and become more sophisticated, there is an obvious need for intrusion detection systems to be able to effectively recognize the known attacks and adapt to novel threats. The specification-based intrusion detection has been long considered as a promising solution that integrates the characteristics of ideal intrusion detection system: the accuracy of detection and ability to recognize novel attacks. However, one of the main challenges of applying this technique in practice is its dependence on the user guidance in developing the specification of normal system behavior. In this work, we present an approach for automatic generation of specifications for any software systems executing on a single host based on the combination of two techniques: specification-based and anomaly-based approaches. The proposed technique allows automatic development of the normal and abnormal behavioral specifications in a form of variable-length patterns classified via anomaly-based approach. Specifically, we use machine-learning algorithm to classify fixed-length patterns generated via sliding window technique to infer the classification of variable-length patterns from the aggregation of the machine learning based classification results. We describe the design and implementation of our technique and show its practical applicability in the domain of security monitoring through simulation and experiments.