Experiences with specification-based intrusion detection

Abstract

Specification-based intrusion detection, where manually specified program behavioral specifications are used as a basis to detect attacks, have been proposed as a promising alternative that combine the strengths of misuse detection (accurate detection of known attacks) and anomaly detection (ability to detect novel attacks). However, the question of whether this promise can be realized in practice has remained open. We answer this question in this paper, based on our experience in building a specification-based intrusion detection system and experimenting with it. Our experiments included the 1999 DARPA/AFRL online evaluation, as well as experiments conducted using 1999 DARPA/Lincoln Labs offline evaluation data. These experiments show that an effective specification-based IDS can be developed with modest efforts. They also show that the specification-based techniques live up to their promise of detecting known as well as unknown attacks, while maintaining a very low rate of false positives.