A framework for constructing features and models for intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Learning nonstationary models of normal network traffic for detecting novel attacks
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
| Hi-index | 0.00 |
A major problem faced by intrusion detection is the intensive computation in the detection phase, and a possible solution is to reduce model redundancy, and thus economize the detection computation. However, the existing literature lacks any formal evaluation of the significance of model redundancy for intrusion detection. In this paper, we try to do such an evaluation. First, in a general intrusion detection methodology, the model redundancy in the behavior model can be reduced using feature ranking and the proposed concept of ‘variable-length signature'. Then, the detection performance of the behavior model before and after model redundancy is compared. The preliminary experimental results show that the model redundancy in the behavior model is useful to detect novel intrusions, but the model redundancy due to the overlapping distinguishability among features is insignificant for intrusion detection.