Towards dynamic self-tuning for intrusion detection systems

Anomaly-based intrusion detection systems pattern the normal activity and are attractive in that new, never-seen attacks can be detected. In addition, they can be implemented as a black box solution that sits away from the host using methods that allow rapid processing of the incoming packets without the need to examine high layer information such as protocol details or host profiles. However, the statistical fingerprint of the normal traffic can shift. These changes, caused by various site-level phenomenon (such as changes in overall activity at the networked site or even system updates), can lead to a significant increase in false positive rates. In turn, this effect puts a heavy burden on the post-detection stages which inspect the packets that have raised alarms thereby reducing the overall system performance. In order to guarantee the level of reliability such a system is expected to provide, we need an autonomous mechanism for detecting when a valid traffic change occurs and a self-tuning mechanism when such an alarm is raised. In this paper, we explore in detail the first step towards automating the tuning of intrusion detection systems-the alarm generation. We present a scheme for computing when a traffic change occurs using statistical analysis with anomaly score data. This method can be adapted to a variety of anomaly-based intrusion detection systems. We show that, with some modification, a combination of technical analysis methods (typically used in predicting and verifying financial market data) can be used to guide the intrusion detection system by providing information on when the traffic change occurs. We also discuss the possibility of quick re-tuning using incoming packets collected on-line with a noise-resistant intrusion detection scheme.