A framework for the development of anomaly detection systems

Intrusion detection systems typically fall into one of two categories: misuse detection and anomaly detection. In misuse detection systems, attacks are explicitly codified as signatures of some form. They are characterized by a low rate false positives but, to a greater or lesser extent, suffer from an inability to generalize from the signatures in their signature set. That is, new attacks, and even simple variations of attacks for which there are signatures, are often undetected.

Anomaly detection systems detect attacks by comparing current system behavior to some representation of normal system behavior. This representation may be a software or protocol specification but more often takes the form of learning models that have been trained on some set of features that describe activity in the monitored system -- examples include fields in audit records, web requests, and system call invocations. Since anomaly detection systems don't include attack descriptions they have the advantage of being able to detect novel attacks that are distinguishable from normal system behavior in some way.

libAnomaly was created to make research on anomaly detection systems easier by providing implementations of features common to most anomaly detectors:

  • A collection of learning models that operate on common types (strings, integers)
  • Implementations of some common data types (strings, integers, doubles, lists)
  • Methods for aggregating anomaly scores from multiple models
libAnomaly is implemented as a C++ library with an emphasis on efficiency and portability. It is currently in use by two anomaly detectors:
  • syscallsAnomaly: anomaly detection on system call arguments for Linux (Snare) and Solaris (BSM)
  • webAnomaly: anomaly detection on HTTP access logs in the Common Log Format (CLF)


2003 (3 publications)

Bayesian event classification for intrusion detection C. Kruegel, D. Mutz, W. Robertson, F. Valeur Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003)

Anomaly Detection of Web-based Attacks C. Kruegel, G. Vigna Proceedings of the ACM Conference on Computer and Communications Security (CCS 2003) BibTeX

On the Detection of Anomalous System Call Arguments C. Kruegel, D. Mutz, F. Valeur, G. Vigna Proceedings of the European Symposium on Research in Computer Security (ESORICS 2003) BibTeX

Research topics

People involved


Post-doctoral Researchers

PhD Students

Last update
July 27, 2011, 1:54 p.m.