Principled reasoning and practical applications of alert fusion in intrusion detection systems

Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS '08

Volumn , Issue , 2008, Pages 136-147

  Gu, Guofei ^a   Cárdenas, Alvaro A ^b   Lee, Wenke ^b  

^a Georgia Institute of Technology   (United States)

^b UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Alert fusion; IDS ensemble; Intrusion detection; Likelihood ratio test; ROC curve

Indexed keywords

DATA SETS; DECISION-THEORETIC; EMPIRICAL STUDIES; FOLLOWING PROBLEM; FUSION TECHNIQUES; INTRUSION DETECTION SYSTEMS; INTRUSION DETECTORS; LIKELIHOOD RATIO TESTS; MAJORITY VOTING; MULTIPLE DETECTORS; ROC CURVES; WEIGHTED VOTING;

COMPUTER CRIME; DETECTORS; MAXIMUM LIKELIHOOD ESTIMATION;

INTRUSION DETECTION;

EID: 77952384694     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1368310.1368332     Document Type: Conference Paper

References (52)

1. Kdd cup 1999 data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99. html, 2005.
2. Nahla Ben Amor, Salem Benferhat, and Zied Elouedi. Naive bayes vs decision trees in intrusion detection systems. In SAC '04: Proceedings of the 2004 ACM symposium on Applied computing, pages 420-424, New York, NY, USA, 2004. ACM Press.
3. Anish Arora, Dennis Hall, C. Ariel Pinto, Dwayne Ramsey, and Rahul Telang. Measuring the risk-based value of it security solutions. IT Professional, 6 (6):35-42, Nov.-Dec. 2004.
4. S. Axelsson. The base-rate fallacy and its implications for the difficulty of intrusion detection. In Proceedings of ACM CCS'1999, November 1999.
5. Marco Barreno, Alvaro A. Cardenas, and J. D. Tygar. Optimal roc curve for a combination of classifiers. In Proceedings of Neural Information Processing Systems (NIPS) 20, 2008.
6. Tim Bass. Intrusion detection systems and multisensor data fusion. Commun. ACM, 43 (4):99-105, 2000.
7. J. De Bonet, C. Isbell, and P. Viola. Mimic: Finding optima by estimating probability densities. Advances in Neural Information Processing Systems, 9, 1997.
8. L. Breiman. Bagging predictors. Machine Learning, 24 (2):123-140, 1996.
9. Alvaro Cardenas, John Baras, and Karl Seamon. A Framework for the Evaluation of Intrusion Detection Systems. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, California, May 2006.
10. Chih-Chung Chang and Chih-Jen Lin. LIBSVM: a library for support vector machines, 2001. Software available at http://www.csie.ntu.edu.tw/~cjlin/libsvm.
11. F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of IEEE Symposium on Security and Privacy 2002, 2002.
12. Herve Debar and Andreas Wespi. Aggregration and correlation of intrusion-detection alerts. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01), 2001.
13. Luca Didaci, Giorgio Giacinto, and Fabio Roli. Ensemble learning for intrusion detection in computer networks. http://citeseer.ist.psu.edu/533620. html.
14. Thomas G. Dietterich. Ensemble methods in machine learning. Lecture Notes in Computer Science, 1857:1-15, 2000.
15. W. Fan, W. Lee, S. Stolfo, and M. Miller. A multiple model cost-sensitive approach for intrusion detection. In Proceedings of The Eleventh European Conference on Machine Learning (ECML'00), 2000.
16. W. Fan, S. Stolfo, and J. Zhang. Adacost: cost-sensitive boosting. In Proceedings of International Coference on Machine Learning (ICML'99), 1999.
17. Y. Freund and R. E. Schapire. Experiments with a new boosting algorithm. In Thirteenth International Conference on Machine Learning (ICML), pages 148-156, 1996.
18. G. Giacinto and F. Roli. Intrusion detection in computer networks by multiple classifier systems. In Proceedings of 16th International Conference on Pattern Recognition (ICPR 2002), 2002.
19. Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee, and Boris Skoric. Measuring intrusion detection capability: An information-theoretic approach. In Proceedings of the 2006 ACM Symposium on Information, Computer, and Communication Security (ASIACCS'06), March 2006.
20. Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee, and Boris Skoric. Towards an information-theoretic framework for analyzing intrusion detection systems. In Proceedings of the 11th European Symposium on Research in Computer Security (ESORICS'06), September 2006.
21. Trevor Hastie, Robert Tibshirani, and Jerome Friedman. The Elements of Statistical Learning. Springer-Verlag New York, Inc., 2003.
22. Imad Y. Hoballah and Pramod K. Varshney. Distributed Bayesian signal detection. IEEE Transactions on Information Theory, 35 (5):995-1000, 1989.
23. Wenjie Hu, Yihua Liao, and V. Rao Vemuri. Robust support vector machines for anomaly detection in computer security. In Proc. 2003 International Conference on Machine Learning and Applications (ICMLA'03), 2003.
24. Finn V. Jensen. Bayesian Networks and Decision Graphs. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2001.
25. Michael I. Jordan, editor. Learning in graphical models. MIT Press, Cambridge, MA, USA, 1999.
26. th ACM Conference on Computer and Communication Security (CCS '03), pages 251-261, Washington, DC, October 2003. ACM Press.
27. C. Kruegel, G. Vigna, and W. Robertson. A Multi-model Approach to the Detection of Web-based Attacks. Computer Networks, 48 (5):717-738, August 2005. (Pubitemid 40684159)
28. Christopher Kruegel, Darren Mutz, William Robertson, and Fredrik Valeur. Bayesian Event Classification for Intrusion Detection. In Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003), Las Vegas, NV, December 2003.
29. Ludmila I. Kuncheva. Combining Pattern Classifiers: Methods and Algorithms. Wiley, 2004.
30. W. Lee, W. Fan, M. Miller, S. Stolfo, and E. Zadok. Cost-sensitive modeling for intrusion detection and response. Journal of Computer Security, 10 (1, 2), 2002.
31. Wenke Lee and Salvatore J. Stolfo. A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security (TISSEC), 3 (4): p. 227-261, 2000.
32. Yihua Liao and V. Rao Vemuri. Using text categorization techniques for intrusion detection. In 11th USENIX Security Symposium, August 5-9, 2002., pages 51-59, 2002.
33. R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines, K. P. Kendall, D. McClung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman. Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX'00), 2000.
34. M. Mahoney. Network traffic anomaly detection based on packet bytes. In Proceedings of 18th ACM Symp. on Applied Computing, pages 346-350, November 2003.
35. M. Mahoney and P. Chan. An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03), 2003.
36. John McHugh. Testing intrusion detection systems: A critique of the 1998 and 1999 darpa off-line intrusion detection system evaluation as performed by lincoln laboratory. ACM Transactions on Information and System Security, 3 (4), November 2000.
37. Tom Mitchell. Machine Learning. McGraw-Hill, 1997.
38. J. Neyman and E. S. Pearson. On the problem of the most efficient tests of statistical hypotheses. Philosophical Transactions of the Royal Society of London, Series A, Containing Papers of a Mathematical or Physical Character, 231:289-337, 1933.
39. Peng Ning, Yun Cui, and Douglas S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer & Communications Security (CCS'02), 2002.
40. Roberto Perdisci, Guofei Gu, and Wenke Lee. Using an ensemble of one-class svm classifiers to harden payload-based anomaly detection systems. In Proceedings of the IEEE International Conference on Data Mining (ICDM'06), December 2006.
41. Phillip A. Porras, Martin W. Fong, and Alfonso Valdes. A mission-impact-based approach to infosec alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID'02), 2002.
42. Rain Forest Puppy. Libwhisker official release v2.1, 2004. Available at http://www.wiretrip. net/rfp/lw.asp.
43. Martin Roesch. Snort: Lightweight intrusion detection for networks. In LISA, pages 229-238, 1999.
44. M. Shankar, N. Rao, and S. Batsell. Fusing intrusion data for detection and containment. In Proceedings of MILCOM2003, 2003.
45. Sal Stolfo, Wei Fan, Wenke Lee, Andreas Prodromidis, and Phil Chan. Cost-based modeling for fraud and intrusion detection: Results from the jam project. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX '00), 2000.
46. Eric Totel, Frederic Majorczyk, and Ludovic Me. COTS diversity intrusion detection and application to web servers. In Proceedings of RAID'2005, September 2005.
47. F. Valeur, G. Vigna, C. Kruegel, and R. Kemmerer. A Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Transactions on Dependable and Secure Computing, 31 (3):146-169, July-September 2004.
48. V. N. Vapnik. The Nature of Statistical Learning Theory. Springer, 1995.
49. P. Varshney. Distributed Detection and Data Fusion. Spinger-Verlag, New York, NY, 1996.
50. Ke Wang and Salvatore J. Stolfo. Anomalous payload-based network intrusion detection. In Proceedings of RAID'2004, September 2004.
51. D. H. Wolpert. Stacked generalization. Neural Networks, 5:241-259, 1992.
52. L. Xu, A. Krzyzak, and CY Suen. Methods of combining multiple classifiers and their applications to handwriting recognition. IEEE Trans. Systems Man Cybernet, 22 (3):418-435, 1992.