Loss -sensitive decision rules for intrusion detection and response

Jia Wang, University of Pennsylvania


When large numbers of alerts are reported by intrusion detection (ID) systems in very fine granularity, it prevents system administrators from handling the alerts effectively. This in turn degrades the usability of an intrusion detection system. Aside from detection, timely responses of intrusions are also critical to lower the risks brought by online attacks. The goal of the dissertation is to improve alert accuracy and to develop decision rules for alert response while minimizing risks brought by online attacks. The dissertation mainly consists of three parts: (1) We propose a general scheme based on supervised machine learning techniques that can be used to estimate the posterior probability of alerts, as required by decision rule methodology. In addition, the scheme brings alert information from disparate sources together to achieve higher accuracy. Although we only focus on combining misuse and anomaly alert information from ID systems in our study, it should not be difficult to extend the scheme to include alerts from other security devices, firewalls, VPNs or auditing tools. The scheme also makes anomaly ID systems more useful by providing contextual information to anomaly alerts to lower the cost of alert handling. (2) We define loss in each attack category through user-specific asset value levels of the target systems on the aspects of confidentiality, integrity and availability together with the attack impact levels on the same three aspects. Based on the definition of loss functions and the estimation of posterior probability, we present the decision rule methodology for alert response to minimize the risks brought by online attacks. Since there is no way to eliminate false positives completely, decision rules help us to cope with them by taking the responsive action with minimal risk. (3) To evaluate the effectiveness of the proposed scheme, we carry out experiments using realistic attack traces. Since there are no widely available attack traces with good attack coverage and adequate numbers of attack instances, we generate realistic attack traces through the selection of typical attacks and the design of attack scenarios that reflect the real world. A representative combination of attacks is selected according to their typical attacking methods and the frequencies of their presence on the Internet. Outside experts with intensive hacking knowledge were invited to define hackers' behavior in the 5 days' simulation period based on empirical analysis of hacker personalities. The overall attack scenario consists of multiple interleaved simultaneous hacking activities. The result of our data analysis demonstrates the decision rule methodology and shows how accuracy of alerts is improved by combining disparate alerts.

Subject Area

Computer science|Statistics|Artificial intelligence

Recommended Citation

Wang, Jia, "Loss -sensitive decision rules for intrusion detection and response" (2004). Dissertations available from ProQuest. AAI3138087.