Elvis Tombini
France Télécom
France

Hervé Debar
France Télécom
France

Ludovic Mé
Supélec
France

Mireille Ducassé
IRISA/INSA
France

Combining an ``anomaly'' and a ``misuse'' IDSes offers the advantage of separating the monitored events between normal, intrusive or
unqualified classes (ie not known as an attack, but not recognize as
safe either).

In this article, we provide a framework to systematically reason about
the combination of anomaly and misuse components.

This framework applied to web servers lead us to propose a serial architecture, using a drastic anomaly component with a sensitive misuse component. This architecture provides the operator with better qualification of the detection results, raises lower amount of false alarms and unqualified events.

Keywords: anomaly detection, misuse detection, web server,

Read Paper (in PDF)