Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis

Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis

Existing approaches to characterizing intrusion detection systems focus on performance under test conditions. While it is well-understood that operational conditions may differ from test conditions, little attention has been paid to the question of assessing the effect on IDS results of parameter es...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Cole, R.J., Peng Liu
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Application software
Bayesian methods
Bayesian network
Computer security
Expert systems
Information analysis
Intrusion detection
Performance analysis
Phase detection
Probabilistic inference
System testing
Uncertainty
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 278
container_issue
container_start_page 269
container_title
container_volume
creator Cole, R.J.
Peng Liu
description Existing approaches to characterizing intrusion detection systems focus on performance under test conditions. While it is well-understood that operational conditions may differ from test conditions, little attention has been paid to the question of assessing the effect on IDS results of parameter estimation errors resulting from these differences. In this paper we consider this question in the context of multi-step attacks. We derive simulated distributions of the posterior probability of exploit given the observation of a series of alerts and bounds on the posterior uncertainty given a particular distribution of the model parameters. Knowledge of such bounds introduces the novel prospect of a confidence versus agility tradeoff in IDS administration. Such a tradeoff could give administrators flexibility in IDS configuration, allowing them to choose detection confidence at the price of detection latency, according to organizational priorities.
doi_str_mv 10.1109/ACSAC.2008.14
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_4721564</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>4721564</ieee_id><sourcerecordid>4721564</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-bcf28420ac7f6fbc1475c25116666c4e86694266ec6cbcb2b630a69748fb58693</originalsourceid><addsrcrecordid>eNotjM1OAjEYRRt_EgFdunLTFyj268_X6XIYUUkwJiJLQzqlY2qwkGnR8PZK9G7O2ZxLyDXwMQC3t3WzqJux4LwagzohA6ENMgtcnpIhN2i1VMrIMzIAjpJZLcwFGeb8wTlYa2BA3ur1ug85x_RO59tvOnE50BdXQqYx0Vkq_T7HbaJ3oQRfjvYVHV0mH_riYioHNtnu0_qYP-03JbJFCTtaJ7c55JgvyXnnNjlc_XNElvfT1-aRzZ8fZk09ZxGMLqz1naiU4M6bDrvWgzLaCw2Av_MqVIhWCcTg0be-FS1K7tAaVXWtrtDKEbn5-40hhNWuj5-uP6yUEaBRyR-kPVQt</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Cole, R.J. ; Peng Liu</creator><creatorcontrib>Cole, R.J. ; Peng Liu</creatorcontrib><description>Existing approaches to characterizing intrusion detection systems focus on performance under test conditions. While it is well-understood that operational conditions may differ from test conditions, little attention has been paid to the question of assessing the effect on IDS results of parameter estimation errors resulting from these differences. In this paper we consider this question in the context of multi-step attacks. We derive simulated distributions of the posterior probability of exploit given the observation of a series of alerts and bounds on the posterior uncertainty given a particular distribution of the model parameters. Knowledge of such bounds introduces the novel prospect of a confidence versus agility tradeoff in IDS administration. Such a tradeoff could give administrators flexibility in IDS configuration, allowing them to choose detection confidence at the price of detection latency, according to organizational priorities.</description><identifier>ISSN: 1063-9527</identifier><identifier>ISBN: 0769534473</identifier><identifier>ISBN: 9780769534473</identifier><identifier>EISSN: 2576-9103</identifier><identifier>DOI: 10.1109/ACSAC.2008.14</identifier><language>eng</language><publisher>IEEE</publisher><subject>Application software ; Bayesian methods ; Bayesian network ; Computer security ; Expert systems ; Information analysis ; Intrusion detection ; Performance analysis ; Phase detection ; Probabilistic inference ; System testing ; Uncertainty</subject><ispartof>2008 Annual Computer Security Applications Conference (ACSAC), 2008, p.269-278</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/4721564$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,776,780,785,786,2052,27902,54895</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/4721564$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Cole, R.J.</creatorcontrib><creatorcontrib>Peng Liu</creatorcontrib><title>Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis</title><title>2008 Annual Computer Security Applications Conference (ACSAC)</title><addtitle>ACSAC</addtitle><description>Existing approaches to characterizing intrusion detection systems focus on performance under test conditions. While it is well-understood that operational conditions may differ from test conditions, little attention has been paid to the question of assessing the effect on IDS results of parameter estimation errors resulting from these differences. In this paper we consider this question in the context of multi-step attacks. We derive simulated distributions of the posterior probability of exploit given the observation of a series of alerts and bounds on the posterior uncertainty given a particular distribution of the model parameters. Knowledge of such bounds introduces the novel prospect of a confidence versus agility tradeoff in IDS administration. Such a tradeoff could give administrators flexibility in IDS configuration, allowing them to choose detection confidence at the price of detection latency, according to organizational priorities.</description><subject>Application software</subject><subject>Bayesian methods</subject><subject>Bayesian network</subject><subject>Computer security</subject><subject>Expert systems</subject><subject>Information analysis</subject><subject>Intrusion detection</subject><subject>Performance analysis</subject><subject>Phase detection</subject><subject>Probabilistic inference</subject><subject>System testing</subject><subject>Uncertainty</subject><issn>1063-9527</issn><issn>2576-9103</issn><isbn>0769534473</isbn><isbn>9780769534473</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2008</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotjM1OAjEYRRt_EgFdunLTFyj268_X6XIYUUkwJiJLQzqlY2qwkGnR8PZK9G7O2ZxLyDXwMQC3t3WzqJux4LwagzohA6ENMgtcnpIhN2i1VMrIMzIAjpJZLcwFGeb8wTlYa2BA3ur1ug85x_RO59tvOnE50BdXQqYx0Vkq_T7HbaJ3oQRfjvYVHV0mH_riYioHNtnu0_qYP-03JbJFCTtaJ7c55JgvyXnnNjlc_XNElvfT1-aRzZ8fZk09ZxGMLqz1naiU4M6bDrvWgzLaCw2Av_MqVIhWCcTg0be-FS1K7tAaVXWtrtDKEbn5-40hhNWuj5-uP6yUEaBRyR-kPVQt</recordid><startdate>200812</startdate><enddate>200812</enddate><creator>Cole, R.J.</creator><creator>Peng Liu</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>200812</creationdate><title>Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis</title><author>Cole, R.J. ; Peng Liu</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-bcf28420ac7f6fbc1475c25116666c4e86694266ec6cbcb2b630a69748fb58693</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2008</creationdate><topic>Application software</topic><topic>Bayesian methods</topic><topic>Bayesian network</topic><topic>Computer security</topic><topic>Expert systems</topic><topic>Information analysis</topic><topic>Intrusion detection</topic><topic>Performance analysis</topic><topic>Phase detection</topic><topic>Probabilistic inference</topic><topic>System testing</topic><topic>Uncertainty</topic><toplevel>online_resources</toplevel><creatorcontrib>Cole, R.J.</creatorcontrib><creatorcontrib>Peng Liu</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Cole, R.J.</au><au>Peng Liu</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis</atitle><btitle>2008 Annual Computer Security Applications Conference (ACSAC)</btitle><stitle>ACSAC</stitle><date>2008-12</date><risdate>2008</risdate><spage>269</spage><epage>278</epage><pages>269-278</pages><issn>1063-9527</issn><eissn>2576-9103</eissn><isbn>0769534473</isbn><isbn>9780769534473</isbn><abstract>Existing approaches to characterizing intrusion detection systems focus on performance under test conditions. While it is well-understood that operational conditions may differ from test conditions, little attention has been paid to the question of assessing the effect on IDS results of parameter estimation errors resulting from these differences. In this paper we consider this question in the context of multi-step attacks. We derive simulated distributions of the posterior probability of exploit given the observation of a series of alerts and bounds on the posterior uncertainty given a particular distribution of the model parameters. Knowledge of such bounds introduces the novel prospect of a confidence versus agility tradeoff in IDS administration. Such a tradeoff could give administrators flexibility in IDS configuration, allowing them to choose detection confidence at the price of detection latency, according to organizational priorities.</abstract><pub>IEEE</pub><doi>10.1109/ACSAC.2008.14</doi><tpages>10</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1063-9527
ispartof 2008 Annual Computer Security Applications Conference (ACSAC), 2008, p.269-278
issn 1063-9527
2576-9103
language eng
recordid cdi_ieee_primary_4721564
source IEEE Electronic Library (IEL) Conference Proceedings
subjects Application software
Bayesian methods
Bayesian network
Computer security
Expert systems
Information analysis
Intrusion detection
Performance analysis
Phase detection
Probabilistic inference
System testing
Uncertainty
title Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-14T12%3A38%3A47IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Addressing%20Low%20Base%20Rates%20in%20Intrusion%20Detection%20via%20Uncertainty-Bounding%20Multi-Step%20Analysis&rft.btitle=2008%20Annual%20Computer%20Security%20Applications%20Conference%20(ACSAC)&rft.au=Cole,%20R.J.&rft.date=2008-12&rft.spage=269&rft.epage=278&rft.pages=269-278&rft.issn=1063-9527&rft.eissn=2576-9103&rft.isbn=0769534473&rft.isbn_list=9780769534473&rft_id=info:doi/10.1109/ACSAC.2008.14&rft_dat=%3Cieee_6IE%3E4721564%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=4721564&rfr_iscdi=true