Experiences With Specification-Based Intrusion Detection
Specification-based intrusion detection, where manually specified program behavioral specifications are used as a basis to detect attacks, have been proposed as a promising alternative that combine the strengths of misuse detection (accurate detection of known attacks) and anomaly detection (ability to detect novel attacks). However, the question of whether this promise can be realized in practice has remained open. The author answers this question in this paper, based on their experience in building a specification-based intrusion detection system and experimenting with it. The experiments included the 1999 DARPA/AFRL online evaluation, as well as experiments conducted using 1999 DARPA/ Lincoln Labs offline evaluation data. These experiments show that an effective specification-based IDS can be developed with modest efforts.