Title :
Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis
Author :
Cole, Robert J. ; Liu, Peng
Author_Institution :
Sch. of Inf. Sci. & Technol., Pennsylvania State Univ., University Park, PA
Abstract :
Existing approaches to characterizing intrusion detection systems focus on performance under test conditions. While it is well-understood that operational conditions may differ from test conditions, little attention has been paid to the question of assessing the effect on IDS results of parameter estimation errors resulting from these differences. In this paper we consider this question in the context of multi-step attacks. We derive simulated distributions of the posterior probability of exploit given the observation of a series of alerts and bounds on the posterior uncertainty given a particular distribution of the model parameters. Knowledge of such bounds introduces the novel prospect of a confidence versus agility tradeoff in IDS administration. Such a tradeoff could give administrators flexibility in IDS configuration, allowing them to choose detection confidence at the price of detection latency, according to organizational priorities.
Keywords :
inference mechanisms; parameter estimation; probability; security of data; inference uncertainty; intrusion detection system; low base rate address; parameter estimation error; posterior probability distribution; test condition; uncertainty-bounding multistep analysis; Application software; Bayesian methods; Computer security; Expert systems; Information analysis; Intrusion detection; Performance analysis; Phase detection; System testing; Uncertainty; Bayesian network; Intrusion detection; Probabilistic inference;
Conference_Titel :
Computer Security Applications Conference, 2008. ACSAC 2008. Annual
Conference_Location :
Anaheim, CA
Print_ISBN :
978-0-7695-3447-3
DOI :
10.1109/ACSAC.2008.14
