A Serial Combination of Anomaly and Misuse IDSes Applied to HTTP Traffic

Elvis Tombini
France Télécom

Hervé Debar
France Télécom

Ludovic Mé

Mireille Ducassé

Combining an ``anomaly'' and a ``misuse'' IDSes offers the advantage of separating the monitored events between normal, intrusive or
unqualified classes (ie not known as an attack, but not recognize as
safe either).

In this article, we provide a framework to systematically reason about
the combination of anomaly and misuse components.

This framework applied to web servers lead us to propose a serial architecture, using a drastic anomaly component with a sensitive misuse component. This architecture provides the operator with better qualification of the detection results, raises lower amount of false alarms and unqualified events.

Keywords: anomaly detection, misuse detection, web server,

Read Paper Read Paper (in PDF)