Abstract
Detecting and resolving security and performance problems in distributed systems have become increasingly important and challenging because of the tremendous growth in network-based services. Intrusion detection is an important security technique for networks and systems. In this paper, we propose a methodology for utilizing MIB II objects for network intrusion detection. We establish the normal profiles of network activities based on the information provided by the MIB II variables and use data mining techniques and information-theoretic measures to build an intrusion detection model. We test our MIB II-based intrusion detection model with several Denial of Service (DoS) and probing attacks. The results have shown that the model can detect these attacks effectively.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
D. Anderson, T. Frivold, and A. Valdes. Next-generation intrusion detection expert system (NIDES): A summary. Technical Report SRICSL-95–07, Computer Science Laboratory, SRI International, Menlo Park, California, May 1995.
J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K. Prasanth, B. Ravichandran, and R. K. Mehra. Proactive detection of distributed denial of service attacks using MIB traffic variables - a feasibility study. In Proceedings of IFIP/IEEE International Symposium on Integrated Network Management (IM 2001), May 200]..
J. Cao, W. S. Cleveland, D. Lin, and D. X. Sun. On the nonstationarity of internet traffic. In Proceedings of ACM SIGMETRICS ’01, pages 102–112, 2001.
K. Claffy, G. Miller, and K. Thompson. The nature of the beast: Recent traffic measurements from an internet b ackbone. In Proceedings of Inet ’98. The Internet Society, July 1998.
W. W. Cohen. Fast effective rule induction. In Machine Learning: the 12th International Conference, Lake Taho, CA, 1995. Morgan Kaufmann.
P.J. Criscuolo. Distributed denial of service - trin00, tribe flood network, tribe flood network 2000, and stacheldraht. Technical Report CIAC-2319, Department of Energy - CIAC (Computer Incident Advisory Capability), February 2000.
S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 120–128, Los Alamitos, CA, 1996. IEEE Computer Society Press.
A. K. Ghosh and A. Schwartzbard. A study in using neural networks for anomaly and misuse detection. In Proceedings of the 8th USENIX Security Symposium, August 1999.
J. L. Hellerstein, F. Zhang, and P. Shahabuddin. An approach to predictive detection for service management. In Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management, May 1999.
L. L. Ho, D. J. Cavuto, S. Papavassiliou, M. Z. Hasan, F. E. Feather, and A. G. Zawadzki. Adaptive network/service fault detection in transaction-oriented wide area networks. In Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management, May 1999.
NMAP Homepage. http://www.insecure.org/nmap/index.htxnl, 2001.
V. Jacobson, C. Leres, and S. McCanne tcpdump. available via anonymous ftp to ftp.ee.lbl.gov, June 1989.
Los Alamos National Laboratory. Wisdom and sense guidebook. Los Alamos National Laboratory.
W. Lee and S. J. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998.
W. Lee and D. Xiang. Information-theroetic measures for anomaly detection. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, May 2001.
T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, P. Neumann, H. Javitz, A. Valdes, and T. Garvey. A real-time intrusion detection expert system (IDES) - final technical report. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, February 1992.
R. A. Maxion. A case study of ethernet anomalies in a distributed computing environment. IEEE Transactions on Reliability, 39(4), October 1990.
K. McCloghrie and M. Rose. Management information base for network management of TCP/IP-based internets: MIB-ii. RFC1213, 1991.
P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore MI), October 1997.
C. E. Shannon and W. Weaver. The Mathematical Theory of Communication. University of Illinois Press, 1949.
G. Shipley and P. Mueller. Dragon claws its way to the top. In Network Computing. Tech Web, August 2001.
S. E. Smaha. Haystack: An intrusion detection system. In Proceedings of the IEEE Fourth Aerospace Computer Security Applications Conference, 1988.
W. Stallings. SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-Wesley, 1999.
SunSoft. SunSHIELD Basic Security Module Guide. SunSoft, Mountain View, CA, 1995.
M. Thottan and C. Ji. Proactive anomaly detection using distributed intelligent agents. IEEE Network, Special Issue on Network Management, April 1998.
C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer Science+Business Media New York
About this chapter
Cite this chapter
Qin, X., Lee, W., Lewis, L., Cabrera, J.B.D. (2002). Using MIB II Variables for Network Intrusion Detection. In: Barbará, D., Jajodia, S. (eds) Applications of Data Mining in Computer Security. Advances in Information Security, vol 6. Springer, Boston, MA. https://doi.org/10.1007/978-1-4615-0953-0_6
Download citation
DOI: https://doi.org/10.1007/978-1-4615-0953-0_6
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4613-5321-8
Online ISBN: 978-1-4615-0953-0
eBook Packages: Springer Book Archive