Weighting versus pruning in rule validation for detecting network and host anomalies
G Tandon, PK Chan - Proceedings of the 13th ACM SIGKDD …, 2007 - dl.acm.org
G Tandon, PK Chan
Proceedings of the 13th ACM SIGKDD international conference on Knowledge …, 2007•dl.acm.orgFor intrusion detection, the LERAD algorithm learns a succinct set of comprehensible rules
for detecting anomalies, which could be novel attacks. LERAD validates the learned rules on
a separate held-out validation set and removes rules that cause false alarms. However,
removing rules with possible high coverage can lead to missed detections. We propose to
retain these rules and associate weights to them. We present three weighting schemes and
our empirical results indicate that, for LERAD, rule weighting can detect more attacks than …
for detecting anomalies, which could be novel attacks. LERAD validates the learned rules on
a separate held-out validation set and removes rules that cause false alarms. However,
removing rules with possible high coverage can lead to missed detections. We propose to
retain these rules and associate weights to them. We present three weighting schemes and
our empirical results indicate that, for LERAD, rule weighting can detect more attacks than …
For intrusion detection, the LERAD algorithm learns a succinct set of comprehensible rules for detecting anomalies, which could be novel attacks. LERAD validates the learned rules on a separate held-out validation set and removes rules that cause false alarms. However, removing rules with possible high coverage can lead to missed detections. We propose to retain these rules and associate weights to them. We present three weighting schemes and our empirical results indicate that, for LERAD, rule weighting can detect more attacks than pruning with minimal computational overhead.
ACM Digital Library