The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
Intelligent agents as cells of immunological memory
ICCS'06 Proceedings of the 6th international conference on Computational Science - Volume Part III
NetStage/DPR: A self-reconfiguring platform for active and passive network security operations
Microprocessors & Microsystems
| Hi-index | 0.00 |
There is a general class of methods of detecting anomalies in a computer system which are based on heuristics or artificial intelligence techniques. These methods are to distinguish between normal and anomalous system behaviour. The main weakness of these methods is a false alarm rate which is usually measured by counting false-positives on a sample set representing normal behaviour. In this measurement a base rate of anomalous behaviour in a live environment is not taken into account and that leads to a base-rate fallacy. This problem can greatly affect a real number of false alarms which can be significantly greater then expected value. Usually little can be done to further improve classification algorithms. In this paper a different approach to reducing real false alarm rate based on layered filtering is presented and discussed. The solution explores potential in a properly structured system of several anomaly detectors.