Integrating network misuse and anomaly prevention

Abstract

Network intrusion detection systems (NIDS) aim at preventing network attacks and unauthorised remote use of computers. More accurately, depending on the kind of attack it targets, NIDS can be oriented to detect misuses (by defining all possible attacks) or anomalies (by modelling legitimate behaviour to find those that do not fit into that model). Still, since their problem knowledge is restricted to possible attacks, misuse detection fails to notice anomalies and vice versa. Against this background, this paper proposes a third alternative that hybrids misuse and anomaly prevention. In this way, ESIDE-Depian uses a Bayesian network to learn from both anomaly and misuse knowledge in order to be able to detect either kind of attacks, known and unknown. Finally, we evaluate ESIDE-Depian against all kind of menaces to prove in which degree it has been achieved to integrate both approaches.