An intrusion detection system (IDS) is a security layer used to detect ongoing intrusive activities in information systems. Traditionally, intrusion detection relies on extensive knowledge of security experts, in particular, on their familiarity with the computer system to be protected. To reduce this dependence, various data-mining and machine learning techniques have been deployed for intrusion detection. An IDS is usually working in a dynamically changing environment, which forces continuous tuning of the intrusion detection model, in order to maintain sufficient performance. The manual tuning process required by current systems depends on the system operators in working out the tuning solution and in integrating it into the detection model. In this paper, an automatically tuning IDS (ATIDS) is presented. The proposed system will automatically tune the detection model on-the-fly according to the feedback provided by the system operator when false predictions are encountered. The system is evaluated using the KDDCup'99 intrusion detection dataset. Experimental results show that the system achieves up to 35% improvement in terms of misclassification cost when compared with a system lacking the tuning feature. If only 10% false predictions are used to tune the model, the system still achieves about 30% improvement. Moreover, when tuning is not delayed too long, the system can achieve about 20% improvement, with only 1.3% of the false predictions used to tune the model. The results of the experiments show that a practical system can be built based on ATIDS: system operators can focus on verification of predictions with low confidence, as only those predictions determined to be false will be used to tune the detection model.
An intrusion detection system (IDS) is a security layer to detect ongoing intrusive activities in computer systems and networks. Current IDS have two main problems: The first problem is that typically so many alarms are generated as to overwhelm the system operator, many of these being false alarms. The second problem is that continuous tuning of the intrusion detection model is required in order to maintain sufficient performance due to the dynamically changing nature of the monitored system. This manual tuning process relies on the system operators to work out the updated tuning solution and to integrate it into the detection model.In this article, we present an automatically tuning intrusion detection system, which controls the number of alarms output to the system operator and tunes the detection model on the fly according to feedback provided by the system operator when false predictions are identified. This system adapts its behavior (i) by throttling the volume of alarms output to the operator in response to the ability of the operator to respond to these alarms, and (ii) by deciding how aggressively the detection model should be tuned based on the accuracy of earlier predictions. We evaluated our system using the KDDCup'99 intrusion detection dataset. Our results show that an adaptive, automatically tuning intrustion detection system will be both practical and efficient.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.