research-article

Principled reasoning and practical applications of alert fusion in intrusion detection systems

Authors:

Alvaro A. Cárdenas,

Wenke LeeAuthors Info & Claims

ASIACCS '08: Proceedings of the 2008 ACM symposium on Information, computer and communications security

Pages 136 - 147

https://doi.org/10.1145/1368310.1368332

Published: 18 March 2008 Publication History

Abstract

It is generally believed that by combining several diverse intrusion detectors (i.e., forming an IDS ensemble), we may achieve better performance. However, there has been very little work on analyzing the effectiveness of an IDS ensemble. In this paper, we study the following problem: how to make a good fusion decision on the alerts from multiple detectors in order to improve the final performance. We propose a decision-theoretic alert fusion technique based on the likelihood ratio test (LRT). We report our experience from empirical studies, and formally analyze its practical interpretation based on ROC curve analysis. Through theoretical reasoning and experiments using multiple IDSs on several data sets, we show that our technique is more flexible and also outperforms other existing fusion techniques such as AND, OR, majority voting, and weighted voting.

References

[1]

Kdd cup 1999 data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, 2005.

[2]

Nahla Ben Amor, Salem Benferhat, and Zied Elouedi. Naive bayes vs decision trees in intrusion detection systems. In SAC '04: Proceedings of the 2004 ACM symposium on Applied computing, pages 420--424, New York, NY, USA, 2004. ACM Press.

Digital Library

[3]

Anish Arora, Dennis Hall, C. Ariel Pinto, Dwayne Ramsey, and Rahul Telang. Measuring the risk-based value of it security solutions. IT Professional, 6(6):35--42, Nov.-Dec. 2004.

Digital Library

[4]

S. Axelsson. The base-rate fallacy and its implications for the difficulty of intrusion detection. In Proceedings of ACM CCS'1999, November 1999.

Digital Library

[5]

Marco Barreno, Alvaro A. Cardenas, and J. D. Tygar. Optimal roc curve for a combination of classifiers. In Proceedings of Neural Information Processing Systems (NIPS) 20, 2008.

[6]

Tim Bass. Intrusion detection systems and multisensor data fusion. Commun. ACM, 43(4):99--105, 2000.

Digital Library

[7]

J. De Bonet, C. Isbell, and P. Viola. Mimic: Finding optima by estimating probability densities. Advances in Neural Information Processing Systems, 9, 1997.

[8]

L. Breiman. Bagging predictors. Machine Learning, 24(2):123--140, 1996.

[9]

Alvaro Cardenas, John Baras, and Karl Seamon. A Framework for the Evaluation of Intrusion Detection Systems. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, California, May 2006.

Digital Library

[10]

Chih-Chung Chang and Chih-Jen Lin. LIBSVM: a library for support vector machines, 2001. Software available at http://www.csie.ntu.edu.tw/~cjlin/libsvm.

Digital Library

[11]

F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of IEEE Symposium on Security and Privacy 2002, 2002.

Digital Library

[12]

Herve Debar and Andreas Wespi. Aggregration and correlation of intrusion-detection alerts. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01), 2001.

Digital Library

[13]

Luca Didaci, Giorgio Giacinto, and Fabio Roli. Ensemble learning for intrusion detection in computer networks. http://citeseer.ist.psu.edu/533620.html.

[14]

Thomas G. Dietterich. Ensemble methods in machine learning. Lecture Notes in Computer Science, 1857:1--15, 2000.

Digital Library

[15]

W. Fan, W. Lee, S. Stolfo, and M. Miller. A multiple model cost-sensitive approach for intrusion detection. In Proceedings of The Eleventh European Conference on Machine Learning (ECML'00), 2000.

Digital Library

[16]

W. Fan, S. Stolfo, and J. Zhang. Adacost: cost-sensitive boosting. In Proceedings of International Coference on Machine Learning (ICML'99), 1999.

Digital Library

[17]

Y. Freund and R. E. Schapire. Experiments with a new boosting algorithm. In Thirteenth International Conference on Machine Learning (ICML), pages 148--156, 1996.

[18]

G. Giacinto and F. Roli. Intrusion detection in computer networks by multiple classifier systems. In Proceedings of 16th International Conference on Pattern Recognition (ICPR 2002), 2002.

[19]

Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee, and Boris Skoric. Measuring intrusion detection capability: An information-theoretic approach. In Proceedings of the 2006 ACM Symposium on Information, Computer, and Communication Security (ASIACCS'06), March 2006.

Digital Library

[20]

Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee, and Boris Skoric. Towards an information-theoretic framework for analyzing intrusion detection systems. In Proceedings of the 11th European Symposium on Research in Computer Security (ESORICS'06), September 2006.

Digital Library

[21]

Trevor Hastie, Robert Tibshirani, and Jerome Friedman. The Elements of Statistical Learning. Springer-Verlag New York, Inc., 2003.

[22]

Imad Y. Hoballah and Pramod K. Varshney. Distributed Bayesian signal detection. IEEE Transactions on Information Theory, 35(5):995--1000, 1989.

Digital Library

[23]

Wenjie Hu, Yihua Liao, and V. Rao Vemuri. Robust support vector machines for anomaly detection in computer security. In Proc. 2003 International Conference on Machine Learning and Applications (ICMLA'03), 2003.

[24]

Finn V. Jensen. Bayesian Networks and Decision Graphs. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2001.

Digital Library

[25]

Michael I. Jordan, editor. Learning in graphical models. MIT Press, Cambridge, MA, USA, 1999.

Digital Library

[26]

C. Kruegel and G. Vigna. Anomaly Detection of Web-based Attacks. In Proceedings of the 10<sup>th</sup> ACM Conference on Computer and Communication Security (CCS '03), pages 251--261, Washington, DC, October 2003. ACM Press.

Digital Library

[27]

C. Kruegel, G. Vigna, and W. Robertson. A Multi-model Approach to the Detection of Web-based Attacks. Computer Networks, 48(5):717--738, August 2005.

[28]

Christopher Kruegel, Darren Mutz, William Robertson, and Fredrik Valeur. Bayesian Event Classification for Intrusion Detection. In Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003), Las Vegas, NV, December 2003.

Digital Library

[29]

Ludmila I. Kuncheva. Combining Pattern Classifiers: Methods and Algorithms. Wiley, 2004.

Digital Library

[30]

W. Lee, W. Fan, M. Miller, S. Stolfo, and E. Zadok. Cost-sensitive modeling for intrusion detection and response. Journal of Computer Security, 10(1, 2), 2002.

Digital Library

[31]

Wenke Lee and Salvatore J. Stolfo. A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security (TISSEC), 3(4):p.227--261, 2000.

Digital Library

[32]

Yihua Liao and V. Rao Vemuri. Using text categorization techniques for intrusion detection. In 11th USENIX Security Symposium, August 5--9, 2002., pages 51--59, 2002.

Digital Library

[33]

R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines, K. P. Kendall, D. McClung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman. Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX'00), 2000.

[34]

M. Mahoney. Network traffic anomaly detection based on packet bytes. In Proceedings of 18th ACM Symp. on Applied Computing, pages 346--350, November 2003.

Digital Library

[35]

M. Mahoney and P. Chan. An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03), 2003.

[36]

John McHugh. Testing intrusion detection systems: A critique of the 1998 and 1999 darpa off-line intrusion detection system evaluation as performed by lincoln laboratory. ACM Transactions on Information and System Security, 3(4), November 2000.

Digital Library

[37]

Tom Mitchell. Machine Learning. McGraw-Hill, 1997.

Digital Library

[38]

J. Neyman and E. S. Pearson. On the problem of the most efficient tests of statistical hypotheses. Philosophical Transactions of the Royal Society of London, Series A, Containing Papers of a Mathematical or Physical Character, 231:289--337, 1933.

[39]

Peng Ning, Yun Cui, and Douglas S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer & Communications Security (CCS'02), 2002.

Digital Library

[40]

Roberto Perdisci, Guofei Gu, and Wenke Lee. Using an ensemble of one-class svm classifiers to harden payload-based anomaly detection systems. In Proceedings of the IEEE International Conference on Data Mining (ICDM'06), December 2006.

Digital Library

[41]

Phillip A. Porras, Martin W. Fong, and Alfonso Valdes. A mission-impact-based approach to infosec alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID'02), 2002.

Digital Library

[42]

Rain Forest Puppy. Libwhisker official release v2.1, 2004. Available at http://www.wiretrip.net/rfp/lw.asp.

[43]

Martin Roesch. Snort: Lightweight intrusion detection for networks. In LISA, pages 229--238, 1999.

Digital Library

[44]

M. Shankar, N. Rao, and S. Batsell. Fusing intrusion data for detection and containment. In Proceedings of MILCOM2003, 2003.

Digital Library

[45]

Sal Stolfo, Wei Fan, Wenke Lee, Andreas Prodromidis, and Phil Chan. Cost-based modeling for fraud and intrusion detection: Results from the jam project. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX '00), 2000.

[46]

Eric Totel, Frederic Majorczyk, and Ludovic Me. COTS diversity intrusion detection and application to web servers. In Proceedings of RAID'2005, September 2005.

Digital Library

[47]

F. Valeur, G. Vigna, C. Kruegel, and R. Kemmerer. A Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Transactions on Dependable and Secure Computing, 1(3):146--169, July-September 2004.

Digital Library

[48]

V. N. Vapnik. The Nature of Statistical Learning Theory. Springer, 1995.

Digital Library

[49]

P. Varshney. Distributed Detection and Data Fusion. Spinger-Verlag, New York, NY, 1996.

Digital Library

[50]

Ke Wang and Salvatore J. Stolfo. Anomalous payload-based network intrusion detection. In Proceedings of RAID'2004, September 2004.

[51]

D. H. Wolpert. Stacked generalization. Neural Networks, 5:241--259, 1992.

Digital Library

[52]

L. Xu, A. Krzyzak, and CY Suen. Methods of combining multiple classifiers and their applications to handwriting recognition. IEEE Trans. Systems Man Cybernet, 22(3):418--435, 1992.

Cited By

Goyal AWang GBates A(2024)R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00253(3515-3532)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00253
Liu YShu XSun YJang JMittal P(2022)RAPID: Real-Time Alert Investigation with Context-aware Prioritization for Efficient Threat DiscoveryProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567997(827-840)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567997
Zhang QMohammed AWan ZCho JMoore T(2022)Diversity-by-Design for Dependable and Secure Cyber-Physical Systems: A SurveyIEEE Transactions on Network and Service Management10.1109/TNSM.2021.309139119:1(706-728)Online publication date: Mar-2022
https://doi.org/10.1109/TNSM.2021.3091391
Show More Cited By

Index Terms

Principled reasoning and practical applications of alert fusion in intrusion detection systems
1. Hardware
  1. Communication hardware, interfaces and storage
  2. Hardware validation
2. Networks

Recommendations

CAFS: a novel lightweight cache-based scheme for large-scale intrusion alert fusion

In this paper, we present some practical experiences on implementing an alert fusion mechanism from our project. After investigation on most of the existing alert fusion systems, we found the current body of work alternatively weighed down in the mire of ...
A Lightweight Intrusion Alert Fusion System
HPCC '10: Proceedings of the 2010 IEEE 12th International Conference on High Performance Computing and Communications

In this paper, we present some practical experience on implementing an alert fusion mechanism from our project. After investigation on most of the existing alert fusion systems, we found the current body of work alternatively weighed down in the mire of ...
Modeling network intrusion detection alerts for correlation

Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '08: Proceedings of the 2008 ACM symposium on Information, computer and communications security

March 2008

399 pages

ISBN:9781595939791

DOI:10.1145/1368310

Program Chairs:
Masayuki Abe
NTT, Japan
,
Virgil Gligor
University of Maryland

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 March 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

Asia CCS '08

Sponsor:

SIGSAC

Asia CCS '08: Asia CCS'08 ACM Symposium on Information, Computer and Communications Security

March 18 - 20, 2008

Tokyo, Japan

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
950
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Goyal AWang GBates A(2024)R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00253(3515-3532)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00253
Liu YShu XSun YJang JMittal P(2022)RAPID: Real-Time Alert Investigation with Context-aware Prioritization for Efficient Threat DiscoveryProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567997(827-840)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567997
Zhang QMohammed AWan ZCho JMoore T(2022)Diversity-by-Design for Dependable and Secure Cyber-Physical Systems: A SurveyIEEE Transactions on Network and Service Management10.1109/TNSM.2021.309139119:1(706-728)Online publication date: Mar-2022
https://doi.org/10.1109/TNSM.2021.3091391
Mages TAlmgren MRohner C(2022)Towards an information-theoretic framework of intrusion detection for composed systems and robustness analysesComputers and Security10.1016/j.cose.2022.102633116:COnline publication date: 1-May-2022
https://dl.acm.org/doi/10.1016/j.cose.2022.102633
Ficke EBateman RXu S(2022)Reducing Intrusion Alert Trees to Aid VisualizationNetwork and System Security10.1007/978-3-031-23020-2_8(140-154)Online publication date: 7-Dec-2022
https://doi.org/10.1007/978-3-031-23020-2_8
Song QZong BWu YTang LZhang HJiang GChen HCuzzocrea AAllan JPaton NSrivastava DAgrawal RBroder AZaki MCandan SLabrinidis ASchuster AWang H(2018)TGNetProceedings of the 27th ACM International Conference on Information and Knowledge Management10.1145/3269206.3271698(97-106)Online publication date: 17-Oct-2018
https://dl.acm.org/doi/10.1145/3269206.3271698
Shu XAraujo FSchales DStoecklin MJang JHuang HRao JLie DMannan MBackes MWang X(2018)Threat Intelligence ComputingProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243829(1883-1898)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243829
Pasquier THan XMoyer TBates AHermant OEyers DBacon JSeltzer MLie DMannan MBackes MWang X(2018)Runtime Analysis of Whole-System ProvenanceProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243776(1601-1616)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243776
Malek ZTrivedi BShah A(2018)User Behavior-Based Intrusion Detection Using Statistical TechniquesAdvanced Informatics for Computing Research10.1007/978-981-13-3143-5_39(480-489)Online publication date: 28-Nov-2018
https://doi.org/10.1007/978-981-13-3143-5_39
Roundy KTamersoy ASpertus MHart MKats DDell'Amico MScott R(2017)Smoke DetectorProceedings of the 33rd Annual Computer Security Applications Conference10.1145/3134600.3134645(200-211)Online publication date: 4-Dec-2017
https://dl.acm.org/doi/10.1145/3134600.3134645
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents