Anomaly detector performance evaluation using a parameterized environment

  • Authors:

  • Jeffery P. Hansen;Kymie M. C. Tan;Roy A. Maxion

  • Affiliations:

  • Carnegie Mellon University, Pittsburgh, Pennsylvania;Carnegie Mellon University, Pittsburgh, Pennsylvania;Carnegie Mellon University, Pittsburgh, Pennsylvania

  • Venue:
  • RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

Over the years, intrusion detection has matured into a field replete with anomaly detectors of various types. These detectors are tasked with detecting computer-based attacks, insider threats, worms and more. Their abundance easily prompts the question – is anomaly detection improving in efficacy and reliability? Current evaluation strategies may provide answers; however, they suffer from problems. For example, they produce results that are only valid within the evaluation data set and they provide very little by way of diagnostic information to tune detector performance in a principled manner. This paper studies the problem of acquiring reliable performance results for an anomaly detector. Aspects of a data environment that will affect detector performance, such as the frequency distribution of data elements, are identified, characterized and used to construct a synthetic data environment to assess a frequency-based anomaly detector. In a series of experiments that systematically maps out the detector's performance, areas of detection weaknesses are exposed, and strengths are identified. Finally, the extensibility of the lessons learned in the synthetic environment are observed using real-world data.