{"id":"https://openalex.org/W1989359075","doi":"https://doi.org/10.1145/586110.586146","title":"Specification-based anomaly detection","display_name":"Specification-based anomaly detection","publication_year":2002,"publication_date":"2002-11-18","ids":{"openalex":"https://openalex.org/W1989359075","doi":"https://doi.org/10.1145/586110.586146","mag":"1989359075"},"language":"en","primary_location":{"id":"doi:10.1145/586110.586146","is_oa":false,"landing_page_url":"https://doi.org/10.1145/586110.586146","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 9th ACM conference on Computer and communications security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5102886132","display_name":"R. Sekar","orcid":"https://orcid.org/0009-0008-9135-3296"},"institutions":[{"id":"https://openalex.org/I59553526","display_name":"Stony Brook University","ror":"https://ror.org/05qghxh33","country_code":"US","type":"education","lineage":["https://openalex.org/I59553526"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"R. Sekar","raw_affiliation_strings":["Stony Brook University, Stony Brook, NY"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Stony Brook University, Stony Brook, NY","institution_ids":["https://openalex.org/I59553526"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5028134056","display_name":"Ajay Gupta","orcid":"https://orcid.org/0000-0001-7881-4010"},"institutions":[{"id":"https://openalex.org/I59553526","display_name":"Stony Brook University","ror":"https://ror.org/05qghxh33","country_code":"US","type":"education","lineage":["https://openalex.org/I59553526"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"A. Gupta","raw_affiliation_strings":["Stony Brook University, Stony Brook, NY"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Stony Brook University, Stony Brook, NY","institution_ids":["https://openalex.org/I59553526"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5003582082","display_name":"J. Frullo","orcid":null},"institutions":[{"id":"https://openalex.org/I59553526","display_name":"Stony Brook University","ror":"https://ror.org/05qghxh33","country_code":"US","type":"education","lineage":["https://openalex.org/I59553526"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"J. Frullo","raw_affiliation_strings":["Stony Brook University, Stony Brook, NY"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Stony Brook University, Stony Brook, NY","institution_ids":["https://openalex.org/I59553526"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5055165992","display_name":"T. Shanbhag","orcid":null},"institutions":[{"id":"https://openalex.org/I59553526","display_name":"Stony Brook University","ror":"https://ror.org/05qghxh33","country_code":"US","type":"education","lineage":["https://openalex.org/I59553526"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"T. Shanbhag","raw_affiliation_strings":["Stony Brook University, Stony Brook, NY"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Stony Brook University, Stony Brook, NY","institution_ids":["https://openalex.org/I59553526"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5041975485","display_name":"Ashish Tiwari","orcid":"https://orcid.org/0000-0001-8185-7652"},"institutions":[{"id":"https://openalex.org/I59553526","display_name":"Stony Brook University","ror":"https://ror.org/05qghxh33","country_code":"US","type":"education","lineage":["https://openalex.org/I59553526"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"A. Tiwari","raw_affiliation_strings":["Stony Brook University, Stony Brook, NY"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Stony Brook University, Stony Brook, NY","institution_ids":["https://openalex.org/I59553526"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5057118376","display_name":"Hongyu Yang","orcid":"https://orcid.org/0000-0002-6955-2503"},"institutions":[{"id":"https://openalex.org/I59553526","display_name":"Stony Brook University","ror":"https://ror.org/05qghxh33","country_code":"US","type":"education","lineage":["https://openalex.org/I59553526"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"H. Yang","raw_affiliation_strings":["Stony Brook University, Stony Brook, NY"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Stony Brook University, Stony Brook, NY","institution_ids":["https://openalex.org/I59553526"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5101819377","display_name":"Siyang Zhou","orcid":"https://orcid.org/0000-0003-4949-7081"},"institutions":[{"id":"https://openalex.org/I59553526","display_name":"Stony Brook University","ror":"https://ror.org/05qghxh33","country_code":"US","type":"education","lineage":["https://openalex.org/I59553526"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"S. Zhou","raw_affiliation_strings":["Stony Brook University, Stony Brook, NY"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Stony Brook University, Stony Brook, NY","institution_ids":["https://openalex.org/I59553526"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":7,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":9.9345,"has_fulltext":false,"cited_by_count":363,"citation_normalized_percentile":{"value":0.98357325,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"265","last_page":"274"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.8376641273498535},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8120051026344299},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.7186798453330994},{"id":"https://openalex.org/keywords/anomaly-based-intrusion-detection-system","display_name":"Anomaly-based intrusion detection system","score":0.6634722352027893},{"id":"https://openalex.org/keywords/denial-of-service-attack","display_name":"Denial-of-service attack","score":0.5815455913543701},{"id":"https://openalex.org/keywords/anomaly","display_name":"Anomaly (physics)","score":0.5315601229667664},{"id":"https://openalex.org/keywords/feature","display_name":"Feature (linguistics)","score":0.5052581429481506},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.5017814636230469},{"id":"https://openalex.org/keywords/constant-false-alarm-rate","display_name":"Constant false alarm rate","score":0.49435997009277344},{"id":"https://openalex.org/keywords/signature","display_name":"Signature (topology)","score":0.48692452907562256},{"id":"https://openalex.org/keywords/false-positive-rate","display_name":"False positive rate","score":0.440879225730896},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.35886305570602417},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.3291381299495697}],"concepts":[{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.8376641273498535},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8120051026344299},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.7186798453330994},{"id":"https://openalex.org/C137524506","wikidata":"https://www.wikidata.org/wiki/Q2247688","display_name":"Anomaly-based intrusion detection system","level":3,"score":0.6634722352027893},{"id":"https://openalex.org/C38822068","wikidata":"https://www.wikidata.org/wiki/Q131406","display_name":"Denial-of-service attack","level":3,"score":0.5815455913543701},{"id":"https://openalex.org/C12997251","wikidata":"https://www.wikidata.org/wiki/Q567560","display_name":"Anomaly (physics)","level":2,"score":0.5315601229667664},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.5052581429481506},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.5017814636230469},{"id":"https://openalex.org/C77052588","wikidata":"https://www.wikidata.org/wiki/Q644307","display_name":"Constant false alarm rate","level":2,"score":0.49435997009277344},{"id":"https://openalex.org/C2779696439","wikidata":"https://www.wikidata.org/wiki/Q7512811","display_name":"Signature (topology)","level":2,"score":0.48692452907562256},{"id":"https://openalex.org/C95922358","wikidata":"https://www.wikidata.org/wiki/Q5432725","display_name":"False positive rate","level":2,"score":0.440879225730896},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.35886305570602417},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3291381299495697},{"id":"https://openalex.org/C26873012","wikidata":"https://www.wikidata.org/wiki/Q214781","display_name":"Condensed matter physics","level":1,"score":0.0},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.0},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C2524010","wikidata":"https://www.wikidata.org/wiki/Q8087","display_name":"Geometry","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C41895202","wikidata":"https://www.wikidata.org/wiki/Q8162","display_name":"Linguistics","level":1,"score":0.0},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/586110.586146","is_oa":false,"landing_page_url":"https://doi.org/10.1145/586110.586146","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 9th ACM conference on Computer and communications security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":26,"referenced_works":["https://openalex.org/W8376609","https://openalex.org/W34688585","https://openalex.org/W1516506771","https://openalex.org/W1542723081","https://openalex.org/W1583975142","https://openalex.org/W1592090113","https://openalex.org/W1674877186","https://openalex.org/W1952056635","https://openalex.org/W2002286749","https://openalex.org/W2021767337","https://openalex.org/W2070644473","https://openalex.org/W2072453486","https://openalex.org/W2117002131","https://openalex.org/W2121886199","https://openalex.org/W2126345423","https://openalex.org/W2130523241","https://openalex.org/W2138381338","https://openalex.org/W2150847526","https://openalex.org/W2288766236","https://openalex.org/W2294465279","https://openalex.org/W2338717024","https://openalex.org/W2350778671","https://openalex.org/W2559773779","https://openalex.org/W3105682467","https://openalex.org/W4239578735","https://openalex.org/W4285719527"],"related_works":["https://openalex.org/W2337148208","https://openalex.org/W1971929717","https://openalex.org/W3036013726","https://openalex.org/W1724519426","https://openalex.org/W2351051591","https://openalex.org/W3004832009","https://openalex.org/W4205383432","https://openalex.org/W135634947","https://openalex.org/W2352639800","https://openalex.org/W3112374511"],"abstract_inverted_index":{"Unlike":[0],"signature":[1],"or":[2],"misuse":[3],"based":[4],"intrusion":[5,79,148],"detection":[6,9,21,53,149,199],"techniques,":[7],"anomaly":[8,20,52,198],"is":[10,24,223],"capable":[11],"of":[12,19,30,43,84,98,126,140,159,169,189,196,206,220,245,250],"detecting":[13,55],"novel":[14,56],"attacks.":[15,67],"However,":[16],"the":[17,82,85,138,141,144,160,194,204,216],"use":[18,205],"in":[22,54,123,132,193,209,259],"practice":[23],"hampered":[25],"by":[26],"a":[27,40,71,120,133,166,181,186],"high":[28],"rate":[29,42,168],"false":[31,44,170],"alarms.":[32],"Specification-based":[33],"techniques":[34,237],"have":[35],"been":[36],"shown":[37],"to":[38,62,112,115,156,226,239,254],"produce":[39],"low":[41,167],"alarms,":[45],"but":[46],"are":[47,154],"not":[48],"as":[49,51],"effective":[50],"attacks,":[57],"especially":[58],"when":[59],"it":[60],"comes":[61],"network":[63,99],"probing":[64,161],"and":[65,77,101,162,191,231],"denial-of-service":[66,163],"This":[68],"paper":[69],"presents":[70],"new":[72],"approach":[73,93,142,211,222,253],"that":[74,110,184,203,234],"combines":[75],"specification-based":[76],"anomaly-based":[78],"detection,":[80],"mitigating":[81],"weaknesses":[83],"two":[86],"approaches":[87],"while":[88],"magnifying":[89],"their":[90],"strengths.":[91],"Our":[92],"begins":[94],"with":[95,106,165],"state-machine":[96],"specifications":[97,208],"protocols,":[100],"augments":[102],"these":[103],"state":[104],"machines":[105],"information":[107,128],"about":[108],"statistics":[109],"need":[111,238],"be":[113,130,240],"maintained":[114],"detect":[116,157,255],"anomalies.":[117],"We":[118,136],"present":[119,248],"specification":[121],"language":[122],"which":[124],"all":[125,158],"this":[127,213],"can":[129],"captured":[131],"succinct":[134],"manner.":[135],"demonstrate":[137],"effectiveness":[139],"on":[143],"1999":[145],"Lincoln":[146],"Labs":[147],"evaluation":[150],"data,":[151],"where":[152],"we":[153,201,247],"able":[155],"attacks":[164],"alarms":[171],"(less":[172],"than":[173],"10":[174],"per":[175],"day).":[176],"Whereas":[177],"feature":[178],"selection":[179],"was":[180],"crucial":[182],"step":[183],"required":[185],"great":[187],"deal":[188],"expertise":[190],"insight":[192],"case":[195],"previous":[197],"approaches,":[200],"show":[202],"protocol":[207],"our":[210,221,252],"simplifies":[212],"problem.":[214],"Moreover,":[215],"machine":[217],"learning":[218],"component":[219],"robust":[224],"enough":[225,233],"operate":[227],"without":[228],"human":[229],"supervision,":[230],"fast":[232],"no":[235],"sampling":[236],"employed.":[241],"As":[242],"further":[243],"evidence":[244],"effectiveness,":[246],"results":[249],"applying":[251],"stealthy":[256],"email":[257],"viruses":[258],"an":[260],"intranet":[261],"environment.":[262]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":8},{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":7},{"year":2022,"cited_by_count":8},{"year":2021,"cited_by_count":14},{"year":2020,"cited_by_count":15},{"year":2019,"cited_by_count":9},{"year":2018,"cited_by_count":11},{"year":2017,"cited_by_count":18},{"year":2016,"cited_by_count":9},{"year":2015,"cited_by_count":14},{"year":2014,"cited_by_count":13},{"year":2013,"cited_by_count":21},{"year":2012,"cited_by_count":14}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}