Anomaly-based intrusion detection: privacy concerns and other problems

This paper addresses the specific advantages and disadvantages of anomaly-b ased intrusion detection. One important disadvantage is its impact on user privacy. A great deal of potentially sensitive information is recorded and analyzed in ways that threaten personal integrity. A solution for this may be to pseudonymize the sensitive information in the log files, i.e., exchan ge user names, etc., for pseudonyms. This paper shows how this can be done. We have carried out a number of experiments using an anomaly detection too l on pseudonymized data collected from a proxy firewall. The experiments re vealed most of the known problems of anomaly detection and also some proble ms originating from the use of intrusion detection in combination with pseu donymization. This paper focuses on these problems and discusses how they c an be remedied or circumvented. Also discussed is the extent to which these problems apply to tools based on misuse detection. (C) 2000 Elsevier Scien ce B.V. All rights reserved.