Sciweavers

Share
CCS
2008
ACM

Principled reasoning and practical applications of alert fusion in intrusion detection systems

10 years 1 months ago
Principled reasoning and practical applications of alert fusion in intrusion detection systems
It is generally believed that by combining several diverse intrusion detectors (i.e., forming an IDS ensemble), we may achieve better performance. However, there has been very little work on analyzing the effectiveness of an IDS ensemble. In this paper, we study the following problem: how to make a good fusion decision on the alerts from multiple detectors in order to improve the final performance. We propose a decision-theoretic alert fusion technique based on the likelihood ratio test (LRT). We report our experience from empirical studies, and formally analyze its practical interpretation based on ROC curve analysis. Through theoretical reasoning and experiments using multiple IDSs on several data sets, we show that our technique is more flexible and also outperforms other existing fusion techniques such as AND, OR, majority voting, and weighted voting. Categories and Subject Descriptors C.2.0 [Computer-Communication Network]: Security and Protection; B.8.2 [PERFORMANCE AND RELIABIL...
Guofei Gu, Alvaro A. Cárdenas, Wenke Lee
Added 12 Oct 2010
Updated 12 Oct 2010
Type Conference
Year 2008
Where CCS
Authors Guofei Gu, Alvaro A. Cárdenas, Wenke Lee
Comments (0)
books