The Community for Technology Leaders
Computer Security Applications Conference, Annual (2008)
Dec. 8, 2008 to Dec. 12, 2008
ISSN: 1063-9527
ISBN: 978-0-7695-3447-3
pp: 269-278
ABSTRACT
Existing approaches to characterizing intrusion detection systems focus on performance under test conditions. While it is well-understood that operational conditions may differ from test conditions, little attention has been paid to the question of assessing the effect on IDS results of parameter estimation errors resulting from these differences. In this paper we consider this question in the context of multi-step attacks. We derive simulated distributions of the posterior probability of exploit given the observation of a series of alerts and bounds on the posterior uncertainty given a particular distribution of the model parameters. Knowledge of such bounds introduces the novel prospect of a confidence versus agility tradeoff in IDS administration. Such a tradeoff could give administrators flexibility in IDS configuration, allowing them to choose detection confidence at the price of detection latency, according to organizational priorities.
INDEX TERMS
Intrusion detection, Bayesian network, Probabilistic inference
CITATION

P. Liu and R. J. Cole, "Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis," 2008 13th Asia-Pacific Computer Systems Architecture Conference (ACSAC), Hsinchu, 2008, pp. 269-278.
doi:10.1109/ACSAC.2008.14
78 ms
(Ver 3.3 (11022016))