Measuring intrusion detection capability
作者: Guofei Gu , Prahlad Fogla , David Dagon , Wenke Lee , Boris Skorić
关键词:
摘要: A fundamental problem in intrusion detection is what metric(s) can be used to objectively evaluate an system (IDS) terms of its ability correctly classify events as normal or intrusive. Traditional metrics (e.g., true positive rate and false rate) measure different aspects, but no single metric seems sufficient the capability systems. The lack a unified makes it difficult fine-tune IDS. In this paper, we provide in-depth analysis existing metrics. Specifically, analyze typical cost-based scheme [6], demonstrate that approach very confusing ineffective when cost factor not carefully selected. addition, novel information-theoretic IDS propose new highly complements analysis. When examining process from point view, intuitively, should have less uncertainty about input (event data) given output (alarm data). Thus, our metric, CI D (Intrusion Detection Capability), defined ratio mutual information between entropy input. has desired property that: (1) It takes into account all important aspects naturally, i.e., rate, predictive value, negative base rate; (2) provides intrinsic capability; (3) sensitive operation parameters such which effect subtle changes We appropriate performance maximize fine-tuning obtained best achieved by data. use numerical examples well experiments actual IDSs on various data sets show using D, choose (optimal) operating for compare IDSs.
acm.org
narcis.nl参考文章(23)
Philip K. Chan, Matthew V. Mahoney, PHAD: packet header anomaly detection for identifying hostile network traffic ,(2001)
Stefan Axelsson, A Preliminary Attempt to Apply Detection and Estimation Theory to Intrusion Detection ,(2007)
David Dagon, Prahlad Fogla, Boris Skoric, Guofei Gu, Wenke Lee, An Information-Theoretic Measure of Intrusion Detection Capability Georgia Institute of Technology. ,(2005)
Klaus Kursawe, Klaus Julisch, Yves Deswarte, Andreas Wespi, Brian Randell, Dominique Alessandri, Christian Cachin, James Riordan, Marc Dacier, David Powell, Raffael Marty, M. Dacier, Design of an Intrusion-Tolerant Intrusion Detection System ,(2002)
Paul A. Wintz, John C. Hancock, Signal Detection Theory McGraw-Hill. ,(1966)
Timothy N. Newsham, Thomas H. Ptacek, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection ,(1998)
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
Matthew V. Mahoney, Philip K. Chan, An analysis of the 1999 DARPA/lincoln Laboratory evaluation data for network anomaly detection recent advances in intrusion detection. pp. 220- 237 ,(2003) , 10.1007/978-3-540-45248-5_13
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks usenix large installation systems administration conference. pp. 229- 238 ,(1999)
R.P. Lippmann, D.J. Fried, I. Graf, J.W. Haines, K.R. Kendall, D. McClung, D. Weber, S.E. Webster, D. Wyschogrod, R.K. Cunningham, M.A. Zissman, Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation darpa information survivability conference and exposition. ,vol. 2, pp. 12- 26 ,(2000) , 10.1109/DISCEX.2000.821506