A training algorithm for optimal margin classifiers
COLT '92 Proceedings of the fifth annual workshop on Computational learning theory
The 1999 DARPA off-line intrusion detection evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Detection, Estimation, and Modulation Theory: Radar-Sonar Signal Processing and Gaussian Signals in Noise
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Information-Theoretic Measures for Anomaly Detection
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Eigenspace-based anomaly detection in computer systems
Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining
Diagnosing network-wide traffic anomalies
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
IEEE Security and Privacy
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
A first look at modern enterprise traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Detecting anomalies in network traffic using maximum entropy estimation
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
An adaptive anomaly detector for worm detection
SYSML'07 Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques
Comparing anomaly detection techniques for HTTP
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Empirical analysis of rate limiting mechanisms
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Two effective methods to detect anomalies in embedded systems
Microelectronics Journal
On leveraging stochastic models for remote attestation
INTRUST'10 Proceedings of the Second international conference on Trusted Systems
Automated Anomaly Detector Adaptation using Adaptive Threshold Tuning
ACM Transactions on Information and System Security (TISSEC)
POSTER: Revisiting anomaly detection system design philosophy
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
| Hi-index | 0.00 |
ROC curves have historically been used to evaluate the accuracy of Intrusion Detection Systems (IDSs). In this paper, we argue that a real-time IDS' input changes considerably over time and ROC curves generated using fixed, time-invariant classification thresholds do not characterize the best accuracy that an IDS can achieve. To address this problem, we propose a simple, generic and adaptive technique to achieve good ROC operating points for any given IDS. The proposed technique stochastically predicts the next anomaly score of an IDS and the anomaly classification threshold is then set as a function of the predicted score. We first perform statistical and information-theoretic analyses of network- and host-based IDSs' anomaly scores to reveal a consistent time correlation structure during benign activity periods. We model the observed correlation structure using Markov chains and then use this model to predict and adapt an IDS' classification threshold. The proposed adaptive thresholding module is incorporated into six prominent network- and host-based Anomaly Detection Systems (ADSs). These adaptive ADSs are evaluated on public and labeled attack datasets. We show that, while reducing the need for manual threshold configuration and having very low-complexity, adaptive thresholding enables the ADSs to achieve considerably higher accuracies on the ROC plane.