Recent developments in network intrusion detection [guest editorial]

GUEST EDITORIAL bout 20 years ago in November 1988, the Morris worm spread through the Internet, taking down thousands of computers. The incident prompted the U.S. Defense Advanced Research Programs Agency to establish the CERT/CC to coordinate activities to defend against future Internet security problems, and was one of the first media stories to raise public awareness about network security. Security problems with the TCP/IP protocol suite were known (as noted by Steven Bellovin), but the Inter-net was a closed network for academics and researchers at the time. Spam and malware were minor problems, and the Web had not been invented. Security was understandably not one of the high priority concerns of the Internet designers 20 years ago, but the consequences of an open public Internet are now apparent. Today network security has become an everyday problem with virtually all computers connected to the Internet. The average Internet user must be constantly vigilant against a number of network threats such as spam, worms, Trojan horses , bots, spyware, and phishing. Enterprises are forced to fortify their networks against remote intrusions into their servers and databases. Governments are concerned about espionage and the possibility of cyberwarfare. Intrusion detection has been a critical component of network security since the 1980s. It is not realistic to expect that all attacks can be blocked by firewalls, access control lists, and other defenses. Intrusion detection serves the important function of identifying malicious activities and determining their nature, origin, and seriousness. Network-based and host-based intrusion detection methods commonly use a combination of signatures to recognize known attacks and anomaly detection to recognize suspicious behaviors. This Special Issue is intended to present the state of the art in network-based intrusion detection. Although an enormous literature already exists, intrusion detection is a dynamic problem demanding constant research progress to keep up with new exploits, new evasion techniques, and increasing traffic rates. In response to the open call, we were pleased to receive 44 submissions from which six articles were accepted for this issue. The large number of submissions attests to the vitality of research efforts and high interest level in intrusion detection. Intrusion detection is a problem well suited to intelligent sampling. Intrusion detection systems must observe a great amount of traffic (gigabits per second) looking for anomalies, but the vast majority of flows are normal and uninteresting. The first article in this special issue, " Network Anomaly …