Towards an Information-Theoretic Approach for Measuring Intelligent False Alarm Reduction in Intrusion Detection

False alarms are a big challenge for intrusion detection systems (IDSs). A lot of approaches, especially machine learning based schemes, have been proposed to mitigate this issue by filtering out these false alarms. But a fundamental problem is how to objectively evaluate an algorithm in terms of its ability to correctly identify false alarms and true alarms. To improve the utilization of various machine learning algorithms, intelligent false alarm reduction has been proposed that aims to select and apply an appropriate algorithm in an adaptive way. Traditional metrics (e.g., true positive rate, false positive rate) are mainly used in the algorithm selection and evaluation, however, no single metric seems sufficient and objective enough to measure the capability of an algorithm in reducing false alarms. The lack of an objective and single metric makes it difficult to further fine-tune and evaluate the performance of algorithms in reducing IDS false alarms. In this paper, we begin by describing the relationship between the process of intrusion detection and the process of false alarm detection (reduction). Then we provide an information-theoretic analysis of intelligent false alarm reduction and propose an objective and single metric to evaluate different algorithms in identifying IDS false alarms. We further evaluate our metric under three scenarios by comparing it with several existing metrics.

[1]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[2]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[3]  Guofei Gu,et al.  Measuring intrusion detection capability: an information-theoretic approach , 2006, ASIACCS '06.

[4]  John E. Gaffney,et al.  Evaluation of intrusion detectors: a decision theory approach , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[5]  Yuxin Meng,et al.  Measuring intelligent false alarm reduction using an ROC curve-based approach in network intrusion detection , 2012, 2012 IEEE International Conference on Computational Intelligence for Measurement Systems and Applications (CIMSA) Proceedings.

[6]  Martin Roesch,et al.  SNORT: The Open Source Network Intrusion Detection System 1 , 2002 .

[7]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[8]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[9]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[10]  Hideki Imai,et al.  IDS False Alarm Reduction Using Continuous and Discontinuous Patterns , 2005, ACNS.

[11]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[12]  Yuh-Jye Lee,et al.  Semi-supervised Learning for False Alarm Reduction , 2010, ICDM.

[13]  Lam-For Kwok,et al.  Adaptive False Alarm Filter Using Machine Learning in Intrusion Detection , 2011 .

[14]  Stephen R. Garner,et al.  WEKA: The Waikato Environment for Knowledge Analysis , 1996 .

[15]  Boris Skoric,et al.  Towards an Information-Theoretic Framework for Analyzing Intrusion Detection Systems , 2006, ESORICS.

[16]  Lam-for Kwok,et al.  Intrusion Detection Using Disagreement-Based Semi-supervised Learning: Detection Enhancement and False Alarm Reduction , 2012, CSS.

[17]  R. M. Chandrasekaran,et al.  Intrusion detection using neural based hybrid classification methods , 2011, Comput. Networks.

[18]  Lam For Kwok,et al.  IDS False Alarm Filtering Using KNN Classifier , 2004, WISA.

[19]  Tsuhan Chen,et al.  Adaptive Alarm Filtering by Causal Correlation Consideration in Intrusion Detection , 2009 .

[20]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[21]  Wolfgang Banzhaf,et al.  The use of computational intelligence in intrusion detection systems: A review , 2010, Appl. Soft Comput..

[22]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[23]  Maghsoud Abbaspour,et al.  Adaptive Anomaly-Based Intrusion Detection System Using Fuzzy Controller , 2012, Int. J. Netw. Secur..

[24]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .