Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis

Existing approaches to characterizing intrusion detection systems focus on performance under test conditions. While it is well-understood that operational conditions may differ from test conditions, little attention has been paid to the question of assessing the effect on IDS results of parameter estimation errors resulting from these differences. In this paper we consider this question in the context of multi-step attacks. We derive simulated distributions of the posterior probability of exploit given the observation of a series of alerts and bounds on the posterior uncertainty given a particular distribution of the model parameters. Knowledge of such bounds introduces the novel prospect of a confidence versus agility tradeoff in IDS administration. Such a tradeoff could give administrators flexibility in IDS configuration, allowing them to choose detection confidence at the price of detection latency, according to organizational priorities.