{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T11:07:02Z","timestamp":1772104022712,"version":"3.50.1"},"publisher-location":"Berlin, Heidelberg","reference-count":40,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"value":"9783540743194","type":"print"},{"value":"9783540743200","type":"electronic"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"DOI":"10.1007\/978-3-540-74320-0_3","type":"book-chapter","created":{"date-parts":[[2007,8,16]],"date-time":"2007-08-16T13:47:48Z","timestamp":1187272068000},"page":"42-62","source":"Crossref","is-referenced-by-count":62,"title":["Comparing Anomaly Detection Techniques for HTTP"],"prefix":"10.1007","author":[{"given":"Kenneth L.","family":"Ingham","sequence":"first","affiliation":[]},{"given":"Hajime","family":"Inoue","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"3_CR1","unstructured":"Apple Computer: Tunneling RTSP and RTP over HTTP (2006) (accessed September 13, 2006), http:\/\/developer.apple.com\/documentation\/QuickTime\/QTSS\/Concepts\/chapter_2_section_14.html"},{"key":"3_CR2","volume-title":"IEEE-IWIA 2003: Proceedings of the First IEEE International Workshop on Information Assurance (IWIA 2003)","author":"N. Athanasiades","year":"2003","unstructured":"Athanasiades, N., Abler, R., Levine, J., Owen, H., Riley, G.: Intrusion detection testing and benchmarking methodologies. In: IEEE-IWIA 2003: Proceedings of the First IEEE International Workshop on Information Assurance (IWIA 2003), Washington, DC, USA, IEEE Computer Society, Los Alamitos (2003)"},{"key":"3_CR3","unstructured":"Booth, D., Haas, H., McCabe, F., Newcomer, E., Champion, M., Ferris, C., Orchard, D.: Web services architecture. Technical Report W3C Working Group Note 11 February 2004, World Wide Web Consortium (W3C) (2004) (accessed 2007-04-05), online at http:\/\/www.w3.org\/TR\/ws-arch\/"},{"key":"3_CR4","unstructured":"Cohen, C.F.: CERT advisory CA-2002-17 Apache web server chunk handling vulnerability (July 2002) (accessed July 24, 2002), http:\/\/www.cert.org\/advisories\/CA-2002-17.html"},{"key":"3_CR5","unstructured":"Corporation, M.: Common vulnerabilities and exposures (accessed June 16, 2006), http:\/\/cve.mitre.org\/"},{"key":"3_CR6","unstructured":"Curry, D., Debar, H.: Intrusion detection message exchange format data model and extensible markup language (XML) document type definition (December 2002) (accessed January 1, 2003), http:\/\/www.ietf.org\/internet-drafts\/draft-ietf-idwg-idmef-xml-09.txt"},{"key":"3_CR7","unstructured":"cve.mitre.org: CVE-1999-0107 (July 1999) (accessed September 3, 2006), http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-1999-0107"},{"key":"3_CR8","unstructured":"cve.mitre.org: CVE-1999-1199 (September 2004) (accessed October 30, 2005), http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-1999-1199"},{"issue":"5199","key":"3_CR9","doi-asserted-by":"publisher","first-page":"843","DOI":"10.1126\/science.267.5199.843","volume":"267","author":"M. Damashek","year":"1995","unstructured":"Damashek, M.: Gauging similarity with n-grams: language-independent categorization of text. Science\u00a0267(5199), 843\u2013848 (1995)","journal-title":"Science"},{"key":"3_CR10","unstructured":"Danyliw, R., Dougherty, C., Householder, A., Ruefle, R.: CERT advisory CA-2001-26 Nimda worm (September 2001), http:\/\/www.cert.org\/advisories\/CA-2001-26.html"},{"key":"3_CR11","unstructured":"Debar, H., Dacier, M., Wespi, A., Lampart, S.: An experimentation workbench for intrusion detection systems. Technical Report RZ 6519, IBM Research Division, Zurich Research Laboratory, 8803 R\u00fcuschlikon, Switzerland (September 1998)"},{"key":"3_CR12","unstructured":"Eastlake, D., Khare, R., Miller, J.: Selecting payment mechanisms over HTTP (2006) (accessed September 13, 2006), http:\/\/www.w3.org\/TR\/WD-jepi-uppflow-970106"},{"issue":"2","key":"3_CR13","doi-asserted-by":"publisher","first-page":"175","DOI":"10.1016\/j.comnet.2003.12.016","volume":"45","author":"J.M. Est\u00e9vez-Tapiador","year":"2004","unstructured":"Est\u00e9vez-Tapiador, J.M., Garc\u00eda-Teodoro, P., D\u00edaz-Verdejo, J.E.: Measuring normality in http traffic for anomaly-based intrusion detection. Journal of Computer Networks\u00a045(2), 175\u2013193 (2004)","journal-title":"Journal of Computer Networks"},{"key":"3_CR14","doi-asserted-by":"crossref","unstructured":"Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol\u2014HTTP\/1.1. RFC 2616 (June 1999) (accessed October 2, 2002), ftp:\/\/ftp.isi.edu\/in-notes\/rfc2616.txt","DOI":"10.17487\/rfc2616"},{"key":"3_CR15","unstructured":"Haines, J.W., Lippmann, R.P., Fried, D.J., Tran, E., Boswell, S., Zissman, M.A.: 1999 DARPA intrusion detection system evaluation: Design and procedures. Technical Report TR-1062, Lincoln Laboratory, Massachusetts Institute of Technology, Lexington, MA, USA (February 2001)"},{"key":"3_CR16","volume-title":"Signal Detection Theory","author":"J. Hancock","year":"1966","unstructured":"Hancock, J., Wintz, P.: Signal Detection Theory. McGraw-Hill, New York (1966)"},{"key":"3_CR17","unstructured":"Heberlein, L.: Network security monitor (NSM)\u2014final report. Technical report, University of California at Davis Computer Security Lab, Lawrence Livermore National Laboratory project deliverable (1995), http:\/\/seclab.cs.ucdavis.edu\/papers\/NSM-final.pdf"},{"key":"3_CR18","doi-asserted-by":"publisher","first-page":"296","DOI":"10.1109\/RISP.1990.63859","volume-title":"1990 IEEE Computer Society Symposium on Research in Security and Privacy","author":"L. Heberlein","year":"1990","unstructured":"Heberlein, L., Dias, G., Levitt, K., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: 1990 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, USA, May 7\u20139, 1990, pp. 296\u2013304. IEEE Computer Society Press, Los Alamitos, CA, USA (1990)"},{"key":"3_CR19","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1145\/947469.947535","volume-title":"SIGUCCS 2003: Proceedings of the 31st annual ACM SIGUCCS conference on User services","author":"L.O. Hern\u00e1ndez","year":"2003","unstructured":"Hern\u00e1ndez, L.O., Pegah, M.: WebDAV: what it is, what it does, why you need it. In: SIGUCCS 2003: Proceedings of the 31st annual ACM SIGUCCS conference on User services, New York, NY, USA, pp. 249\u2013254. ACM Press, New York (2003)"},{"key":"3_CR20","unstructured":"Ingham, K.L.: Anomaly Detection for HTTP Intrusion Detection: Algorithm Comparisons and the Effect of Generalization on Accuracy. PhD thesis, Department of Computer Science, University of New Mexico, Albuquerque, NM, 87131 (2007)"},{"issue":"5","key":"3_CR21","doi-asserted-by":"publisher","first-page":"1239","DOI":"10.1016\/j.comnet.2006.09.016","volume":"51","author":"K.L. Ingham","year":"2007","unstructured":"Ingham, K.L., Somayaji, A., Burge, J., Forrest, S.: Learning DFA representations of HTTP for protecting web applications. Computer Networks\u00a051(5), 1239\u20131255 (2007)","journal-title":"Computer Networks"},{"key":"3_CR22","doi-asserted-by":"publisher","first-page":"251","DOI":"10.1145\/948109.948144","volume-title":"Proceedings of the 10th ACM conference on Computer and communications security","author":"C. Kruegel","year":"2003","unstructured":"Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM conference on Computer and communications security, pp. 251\u2013261. ACM Press, New York (2003)"},{"issue":"5","key":"3_CR23","doi-asserted-by":"publisher","first-page":"717","DOI":"10.1016\/j.comnet.2005.01.009","volume":"48","author":"C. Kruegel","year":"2005","unstructured":"Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks\u00a048(5), 717\u2013738 (2005)","journal-title":"Computer Networks"},{"issue":"4","key":"3_CR24","doi-asserted-by":"publisher","first-page":"579","DOI":"10.1016\/S1389-1286(00)00139-0","volume":"34","author":"R. Lippmann","year":"2000","unstructured":"Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks\u00a034(4), 579\u2013595 (2000)","journal-title":"Computer Networks"},{"key":"3_CR25","doi-asserted-by":"publisher","first-page":"346","DOI":"10.1145\/952532.952601","volume-title":"Proceedings of the 2003 ACM Symposium on Applied computing","author":"M.V. Mahoney","year":"2003","unstructured":"Mahoney, M.V.: Network traffic anomaly detection based on packet bytes. In: Proceedings of the 2003 ACM Symposium on Applied computing, pp. 346\u2013350. ACM Press, New York (2003)"},{"key":"3_CR26","doi-asserted-by":"publisher","first-page":"376","DOI":"10.1145\/775047.775102","volume-title":"Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining","author":"M.V. Mahoney","year":"2002","unstructured":"Mahoney, M.V., Chan, P.K.: Learning nonstationary models of normal network traffic for detecting novel attacks. In: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 376\u2013385. ACM Press, New York (2002)"},{"key":"3_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"145","DOI":"10.1007\/3-540-39945-3_10","volume-title":"Recent Advances in Intrusion Detection","author":"J. McHugh","year":"2000","unstructured":"McHugh, J.: The 1998 Lincoln Laboratory IDS evaluation\u2014a critique. In: Debar, H., M\u00e9, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol.\u00a01907, pp. 145\u2013161. Springer, Heidelberg (2000)"},{"issue":"4","key":"3_CR28","doi-asserted-by":"publisher","first-page":"262","DOI":"10.1145\/382912.382923","volume":"3","author":"J. McHugh","year":"2000","unstructured":"McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and Systems Security\u00a03(4), 262\u2013294 (2000)","journal-title":"ACM Transactions on Information and Systems Security"},{"key":"3_CR29","unstructured":"Microsoft Corporation: Exchange server 2003 RPC over HTTP deployment scenarios (2006) (accessed September 13, 2006), http:\/\/www.microsoft.com\/technet\/prodtechnol\/exchange\/2003\/library\/ex2k3rpc.mspx"},{"issue":"5","key":"3_CR30","doi-asserted-by":"publisher","first-page":"43","DOI":"10.1109\/52.605930","volume":"14","author":"N. Puketza","year":"1997","unstructured":"Puketza, N., Chung, M., Olsson, R., Mukherjee, B.: A software platform for testing intrusion detection systems. IEEE Software\u00a014(5), 43\u201351 (1997)","journal-title":"IEEE Software"},{"issue":"10","key":"3_CR31","doi-asserted-by":"publisher","first-page":"719","DOI":"10.1109\/32.544350","volume":"22","author":"N.J. Puketza","year":"1996","unstructured":"Puketza, N.J., Zhang, K., Chung, M., Mukherjee, B., Olsson, R.A.: A methodology for testing intrusion detection systems. IEEE Transactions on Software Engineering\u00a022(10), 719\u2013729 (1996)","journal-title":"IEEE Transactions on Software Engineering"},{"key":"3_CR32","unstructured":"Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.A.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: Network and Distributed System Security Symposium Conference Proceedings: 2006. Internet Society (2006) (accessed February 12, 2006), http:\/\/www.isoc.org\/isoc\/conferences\/ndss\/06\/proceedings\/html\/2006\/papers\/anomaly_signatures.pdf"},{"key":"3_CR33","first-page":"11","volume-title":"Advances in Neural Information Processing Systems","author":"A. Stolcke","year":"1993","unstructured":"Stolcke, A., Omohundro, S.: Hidden Markov Model induction by bayesian model merging. In: Hanson, S.J., Cowan, J.D., Giles, C.L. (eds.) Advances in Neural Information Processing Systems, vol.\u00a05, pp. 11\u201318. Morgan Kaufmann, San Mateo, CA (1993)"},{"key":"3_CR34","unstructured":"Stolcke, A., Omohundro, S.M.: Best-first model merging for hidden Markov model induction. Technical Report TR-94-003, International Computer Science Institute, 1947 Center Street, Suite 600, Berkeley, CA, 94704-1198 (1994)"},{"key":"3_CR35","doi-asserted-by":"crossref","unstructured":"Tombini, E., Debar, H., M\u00e9, L., Ducass\u00e9, M.: A serial combination of anomaly and misuse IDSes applied to HTTP traffic. In: 20th Annual Computer Security Applications Conference (2004)","DOI":"10.1109\/CSAC.2004.4"},{"key":"3_CR36","unstructured":"Vargiya, R., Chan, P.: Boundary detection in tokenizing network application payload for anomaly detection. In: Proceedings of the ICDM Workshop on Data Mining for Computer Security (DMSEC). Workshop held in conjunction with The Third IEEE International Conference on Data Mining, November 2003, pp. 50\u201359 (2003) (accessed April 5, 2006), available at http:\/\/www.cs.fit.edu\/~pkc\/dmsec03\/dmsec03notes.pdf"},{"key":"3_CR37","volume-title":"Seventeenth Annual Computer Security Applications Conference","author":"T. Wan","year":"2001","unstructured":"Wan, T., Yang, X.D.: IntruDetector: a software platform for testing network intrusion detection algorithms. In: Seventeenth Annual Computer Security Applications Conference, New Orleans, LA, USA, December 10\u201314, 2001, IEEE Computer Society, Los Alamitos, CA, USA (2001)"},{"key":"3_CR38","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"203","DOI":"10.1007\/978-3-540-30143-1_11","volume-title":"Recent Advances in Intrusion Detection","author":"K. Wang","year":"2004","unstructured":"Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol.\u00a03224, pp. 203\u2013222. Springer, Heidelberg (2004)"},{"key":"3_CR39","first-page":"133","volume-title":"IEEE Symposium on Security and Privacy","author":"C. Warrender","year":"1999","unstructured":"Warrender, C., Forrest, S., Pearlmutter, B.A.: Detecting intrusions using system calls: Alternative data models. In: IEEE Symposium on Security and Privacy, pp. 133\u2013145. IEEE Computer Society Press, Los Alamitos (1999)"},{"key":"3_CR40","unstructured":"Wiers, D.: Tunneling SSH over HTTP(S) (2006) (accessed September 13, 2006), http:\/\/dag.wieers.com\/howto\/ssh-http-tunneling\/"}],"container-title":["Lecture Notes in Computer Science","Recent Advances in Intrusion Detection"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-540-74320-0_3.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,11,19]],"date-time":"2020-11-19T05:21:35Z","timestamp":1605763295000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-540-74320-0_3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[null]]},"ISBN":["9783540743194","9783540743200"],"references-count":40,"URL":"https:\/\/doi.org\/10.1007\/978-3-540-74320-0_3","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[]}}