Abstract

Intrusion detection has become an indispensable defense line in the information security infrastructure. However, every intrusion detection approach has been limited by their problems: signature-based intrusion detection can identify the known intrusions but cannot detect the novel intrusions, anomaly-based intrusion detection has the potential to detect all intrusions but has the limitation of a higher false alarm rate. For this reason, most existing intrusion detection techniques have not met the requirements for practical deployment. In this paper, the authors proposed a theoretical basis for intrusion detection to argue about their principles and to analyze the existing problems for intrusion detection in a quantified manner. The root causes of these problems are identified as model inaccuracy and model incompleteness as well as the distinguishability lack in the features utilized. In addition, it is also found that static analysis (Wagner, et al., 2001), with a properly selected feature vector, is a promising intrusion detection technique in principle because it can avoid the quality issue of its behavior models.