Increasing coverage to improve detection of network and host anomalies

Increasing coverage to improve detection of network and host anomalies

For intrusion detection, the LERAD algorithm learns a succinct set of comprehensible rules for detecting anomalies, which could be novel attacks. LERAD validates the learned rules on a separate held-out validation set and removes rules that cause false alarms. However, removing rules with possible h...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Machine learning 2010-06, Vol.79 (3), p.307-334
Hauptverfasser: Tandon, Gaurav, Chan, Philip K.
Format: Artikel
Sprache:eng
Schlagworte:
Artificial Intelligence
Computer Science
Control
Machinery
Mechatronics
Natural Language Processing (NLP)
Network management systems
Robotics
Simulation and Modeling
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:For intrusion detection, the LERAD algorithm learns a succinct set of comprehensible rules for detecting anomalies, which could be novel attacks. LERAD validates the learned rules on a separate held-out validation set and removes rules that cause false alarms. However, removing rules with possible high coverage can lead to missed detections. We propose three techniques for increasing coverage— Weighting , Replacement and Hybrid . Weighting retains previously pruned rules and associate weights to them. Replacement , on the other hand, substitutes pruned rules with other candidate rules to ensure high coverage. We also present a Hybrid approach that selects between the two techniques based on training data coverage. Empirical results from seven data sets indicate that, for LERAD, increasing coverage by Weighting , Replacement and Hybrid detects more attacks than Pruning with minimal computational overhead.
ISSN:0885-6125
1573-0565
DOI:10.1007/s10994-009-5145-3