IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Elements of information theory
Elements of information theory
The nature of statistical learning theory
The nature of statistical learning theory
A Methodology for Testing Intrusion Detection Systems
IEEE Transactions on Software Engineering
The base-rate fallacy and its implications for the difficulty of intrusion detection
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Towards a taxonomy of intrusion-detection systems
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on computer network security
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
A framework for constructing features and models for intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
ACM Transactions on Information and System Security (TISSEC)
Machine Learning
Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse
IEEE Transactions on Software Engineering
Panel: Foundations for Intrusion Detection?
CSFW '00 Proceedings of the 13th IEEE workshop on Computer Security Foundations
Information-Theoretic Measures for Anomaly Detection
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Enhancing byte-level network intrusion detection signatures with context
Proceedings of the 10th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Measuring intrusion detection capability: an information-theoretic approach
ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
A Framework for the Evaluation of Intrusion Detection Systems
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Towards a theory of intrusion detection
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Principled reasoning and practical applications of alert fusion in intrusion detection systems
Proceedings of the 2008 ACM symposium on Information, computer and communications security
Streaming Estimation of Information-Theoretic Metrics for Anomaly Detection (Extended Abstract)
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
PAID: packet analysis for anomaly intrusion detection
PAKDD'08 Proceedings of the 12th Pacific-Asia conference on Advances in knowledge discovery and data mining
A comparison of feature-selection methods for intrusion detection
MMM-ACNS'10 Proceedings of the 5th international conference on Mathematical methods, models and architectures for computer network security
Improving Effectiveness of Intrusion Detection by Correlation Feature Selection
International Journal of Mobile Computing and Multimedia Communications
Automated Anomaly Detector Adaptation using Adaptive Threshold Tuning
ACM Transactions on Information and System Security (TISSEC)
| Hi-index | 0.00 |
IDS research still needs to strengthen mathematical foundations and theoretic guidelines. In this paper, we build a formal framework, based on information theory, for analyzing and quantifying the effectiveness of an IDS. We firstly present a formal IDS model, then analyze it following an information-theoretic approach. Thus, we propose a set of information-theoretic metrics that can quantitatively measure the effectiveness of an IDS in terms of feature representation capability, classification information loss, and overall intrusion detection capability. We establish a link to relate these metrics, and prove a fundamental upper bound on the intrusion detection capability of an IDS. Our framework is a practical theory which is data trace driven and evaluation oriented in this area. In addition to grounding IDS research on a mathematical theory for formal study, this framework provides practical guidelines for IDS fine-tuning, evaluation and design, that is, the provided set of metrics greatly facilitates a static/dynamic fine-tuning of an IDS to achieve optimal operation and a fine-grained means to evaluate IDS performance and improve IDS design. We conduct experiments to demonstrate the utility of our framework in practice.