The contents of this legacy page are no longer maintained nor supported, and are made available only for historical purposes.

Bibliography Details

A. Lazarevic, L. Ertoz, V. Kumar, A. Ozgur, and J. Srirvastava, "A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection", in SIAM 2003, May 2003.

A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection
Authors: A. Lazarevic
L. Ertoz
V. Kumar
A. Ozgur
J. Srirvastava
Published: SIAM, 2003
Entry Dates: 2009-02-11
Abstract: Intrusion detection corresponds to a suite of techniques that are used to identify attacks against computers and network infrastructures. Anomaly detection is a key element of intrusion detection in which perturbations of normal behavior suggest the presence of intentionally or unintentionally induced attacks, faults, defects, etc. This paper focuses on a detailed comparative study of several anomaly detection schemes for identifying different network intrusions. Several existing supervised and unsupervised anomaly detection schemes and their variations are evaluated on the DARPA 1998 data set of network connections as well as on real network data using existing standard evaluation techniques as well as using several specific metrics that are appropriate when detecting attacks that involve a large number of connections. Our experimental results indicate that some anomaly detection schemes appear very promising when detecting novel intrusions in both DARPA'98 data and real network data.
  • datasets: DARPA1998, 7 weeks and 2 weeks of network-based attacks; real network data from the University of Minnesota;
  • the most successful anomaly detection techniques were able to achieve the detection rate of 74% for attacks involving multiple connections and detection rate of 56% for more complex single connection attacks, while keeping the false alarm rate at 2%; the LOF approach was very successful in picking several very interesting novel attacks;