Addressing low base rates in intrusion detection via uncertainty-bounding multi-step analysis

Robert J. Cole, Peng Liu

Research output: Contribution to journalConference article

Abstract

Existing approaches to characterizing intrusion detection systems focus on performance under test conditions. While it is well-understood that operational conditions may differ from test conditions, little attention has been paid to the question of assessing the effect on IDS results of parameter estimation errors resulting from these differences. In this paper we consider this question in the context of multi-step attacks. We derive simulated distributions of the posterior probability of exploit given the observation of a series of alerts and bounds on the posterior uncertainty given a particular distribution of the model parameters. Knowledge of such bounds introduces the novel prospect of a confidence versus agility tradeoff in IDS administration. Such a tradeoff could give administrators flexibility in IDS configuration, allowing them to choose detection confidence at the price of detection latency, according to organizational priorities.

Original languageEnglish (US)
Article number4721564
Pages (from-to)269-278
Number of pages10
JournalProceedings - Annual Computer Security Applications Conference, ACSAC
DOIs
StatePublished - Dec 1 2008
Event24th Annual Computer Security Applications Conference, ACSAC 2008 - Anaheim, CA, United States
Duration: Dec 8 2008Dec 12 2008

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Software
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'Addressing low base rates in intrusion detection via uncertainty-bounding multi-step analysis'. Together they form a unique fingerprint.

  • Cite this