Benchmarking anomaly-based detection systems

Anomaly detection is a key element of intrusion detection and other detection systems in which perturbations of normal behavior suggest the presence of intentionally or unintentionally induced attacks, faults, defects, etc. Because most anomaly detectors are based on probabilistic algorithms that exploit the intrinsic structure (or regularity) embedded in data logs, a fundamental question is whether or not such structure influences detection performance. If detector performance is indeed a function of environmental regularity, it would be critical to match detectors to environmental characteristics. In intrusion-detection settings, however, this is not done, possibly because such characteristics are not easily ascertained. This paper introduces a metric for characterizing structure in data environments, and tests the hypothesis that intrinsic structure influences probabilistic detection. In a series of experiments, an anomaly detection algorithm was applied to a benchmark suite of 165 carefully calibrated, anomaly-injected data sets of varying structure. The results showed performance differences of as much as an order of magnitude, indicating that current approaches to anomaly detection may not be universally dependable.

[1]  W. W. Peterson,et al.  The theory of signal detectability , 1954, Trans. IRE Prof. Group Inf. Theory.

[2]  Carla E. Brodley,et al.  Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.

[3]  Frank Feather,et al.  A case study of Ethernet anomalies in a distributed computing environment , 1990 .

[4]  Peter G. Neumann,et al.  IDES: A Progress Report , 1990 .

[5]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[6]  H. S. Teng,et al.  Adaptive real-time anomaly detection using inductively generated sequential patterns , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Roy A. Maxion,et al.  Dependability at the user interface , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[8]  Edward G. Amoroso Intrusion Detection , 1999 .

[9]  Frode Ringdal,et al.  Teleseismic event detection using the NORESS array, with special reference to low-yield semipalatinsk explosions , 1990 .

[10]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[11]  J A Swets,et al.  Measuring the accuracy of diagnostic systems. , 1988, Science.

[12]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[13]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[14]  Ludovic Mé Security Audit Trail Analysis Using Genetic Algorithms , 1993, SAFECOMP.

[15]  Stephanie Forrest,et al.  Infect Recognize Destroy , 1996 .