Home > Publications
Home University of Twente
Prospective Students
Intranet (internal)

EEMCS EPrints Service

15422 Revisiting Anomaly-based Network Intrusion Detection Systems
Home Policy Brochure Browse Search User Area Contact Help

Bolzoni, D. (2009) Revisiting Anomaly-based Network Intrusion Detection Systems. PhD thesis, University of Twente. CTIT Ph.D.-thesis series No. 09-147 ISBN 978-90-365-2853-5

Full text available as:


10696 Kb
Open Access

Official URL:

Exported to Metis


Intrusion detection systems (IDSs) are well-known and widely-deployed security tools to
detect cyber-attacks and malicious activities in computer systems and networks.
A signature-based IDS works similar to anti-virus software. It employs a signature
database of known attacks, and a successful match with current input raises an alert. A
signature-based IDS cannot detect unknown attacks, either because the database is out of
date or because no signature is available yet.
To overcome this limitation, researchers have been developing anomaly-based IDSs. An
anomaly-based IDS works by building a model of normal data/usage patterns during a
training phase, then it compares new inputs to the model (using a similarity metric). A
significant deviation is marked as an anomaly. An anomaly-based IDS is able to detect
previously unknown, or modifications of well-known, attacks as soon as they take place
(i.e., so called zero-day attacks) and targeted attacks.
Cyber-attacks and breaches of information security appear to be increasing in frequency
and impact. Signature-based IDSs are likely to miss an increasingly number of attack
attempts, as cyber-attacks diversify. Thus, one would expect a large number of anomalybased
IDSs to have been deployed to detect the newest disruptive attacks. However, most
IDSs in use today are still signature-based, and few anomaly-based IDSs have been
deployed in production environments.
Up to now a signature-based IDS has been easier to implement and simpler to configure
and maintain than an anomaly-based IDS, i.e., it is easier and less expensive to use. We
see in these limitations the main reason why anomaly-based systems have not been
widely deployed, despite research that has been conducted for more than a decade.
To address these limitations we have developed SilentDefense, a comprehensive
anomaly-based intrusion detection architecture that outperforms competitors not only in
terms of attack detection and false alert rates, but it reduces the user effort as well.
SilentDefense is the first systematic attempt to develop an anomaly-based intrusion
detection system with a high degree of usability.

Item Type:PhD Thesis
Supervisors:Etalle, S. and Hartel, P.H.
Research Group:EWI-DIES: Distributed and Embedded Security
Research Program:CTIT-ISTRICE: Integrated Security and Privacy in a Networked World
Research Project:IPID: Integrated Policy-based Intrusion Detection
ID Code:15422
Deposited On:25 June 2009
More Information:statisticsmetis

Export this item as:

To correct this item please ask your editor

Repository Staff Only: edit this item