Combining an ``anomaly'' and a ``misuse'' IDSes offers the advantage of separating the monitored events between normal, intrusive or
unqualified classes (ie not known as an attack, but not recognize as
In this article, we provide a framework to systematically reason about
the combination of anomaly and misuse components.
This framework applied to web servers lead us to propose a serial architecture, using a drastic anomaly component with a sensitive misuse component. This architecture provides the operator with better qualification of the detection results, raises lower amount of false alarms and unqualified events.
Keywords: anomaly detection, misuse detection, web server,
Read Paper (in PDF)