Alert confidence fusion in intrusion detection systems with extended Dempster-Shafer theory

Yu, Dong; Frincke, Deborah A.

doi:10.1145/1167253.1167289

Cited by 48 publications

(38 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The major challenge for applying D-S theory to IDS is to determine the beliefs of whether an event is malicious or not, from the collected network measurements [4]. There exist multiple ways of assigning probabilities to each of the hypotheses in D-S theory, ranging from data mining techniques to empirical/manual approaches.…”

mentioning

confidence: 99%

Manual and Automatic assigned thresholds in multi‐layer data fusion intrusion detection system for 802.11 attacks

Kyriakopoulos

Aparicio-Navarro

Parish

2014

IET Information Security

View full text Add to dashboard Cite

., 2014. Manual and automatic assigned thresholds in multi-layer data fusion intrusion detection system for 802.11 attacks. IET Information Security,8 (1), pp. 42 -50.Additional Information:• This paper was published in the journal, IET Information Security [ c Intrusion Detection Systems for wireless attacks either focuses on just one layer of observation or uses a limited number of metrics without proper data fusion techniques. However, the true status of a network is rarely accurately detectable by examining only one network layer. The goal of this work is to detect injection types of attacks in wireless networks by fusing multi-metrics using the Dempster-Shafer (D-S) belief theory. When combining beliefs, an important step to consider is the automatic and self-adaptive process of Basic Probability Assignment (BPA).This work presents a comparison between manual and automatic BPA methods using the D-S technique. Custom tailoring BPAs in an optimum manner under specific network conditions could be extremely time consuming and difficult. In contrast, automatic methods have the advantage of not requiring any prior training or calibration from an administrator. The results show that multi-layer techniques perform more efficiently when compared to conventional methods. In addition, the automatic assignment of beliefs makes the use of such a system easier to deploy whilst providing a similar performance to that of a manual system.

show abstract

mentioning

confidence: 99%

Manual and Automatic assigned thresholds in multi‐layer data fusion intrusion detection system for 802.11 attacks

Kyriakopoulos

Aparicio-Navarro

Parish

2014

IET Information Security

View full text Add to dashboard Cite

show abstract

“…The methodology employed by [8] uses data mining techniques to proceed with the BPA tasks. The use of data mining techniques mostly focuses on processing large amounts of audit data traffic rather than performing real-time detection.…”

Section: Related Workmentioning

confidence: 99%

“…This is to find an automatic and selfadaptive process of Basic Probability Assignment (BPA), based on the measured characteristics of the network. The major challenge for applying D-S theory in IDS is to automatically determine the beliefs from the network measurements [8].…”

mentioning

confidence: 99%

An automatic and self-adaptive multi-layer data fusion system for WiFi attack detection

Aparicio-Navarro

Kyriakopoulos

Parish

2013

IJITST

View full text Add to dashboard Cite

Abstract-Wireless networks are increasingly becoming susceptible to more sophisticated threats. An attacker may spoof the identity of legitimate users before implementing more serious attacks. Most of the current Intrusion Detection Systems (IDSs) that employ multi-layer approach to help towards mitigating network attacks, offer higher detection accuracy rate and low numbers of false alarms than IDSs that employ single layer approach. However, few of the current multi-layer IDSs could be used off-the-shelf without a prior thorough training with completely clean datasets or fine tuning period. Dempster-Shafer theory has been used with the purpose of combining beliefs of different metric measurements across multiple layers. However, an important step to be investigated remains open; this is to find an automatic and self-adaptive process of Basic Probability Assignment (BPA). This paper describes a novel BPA methodology able to automatically adapt its detection capabilities to the current measured characteristics, with a light weight process of generating a baseline profile of normal utilisation and without intervention from the IDS administrator. We have developed a multilayer based application able to classify individual network frames as normal or malicious with very high accuracy.

show abstract

“…There have been past attempts [34,36] at achieving this. Bayesian analysis [14] has been the standard and there have been some approaches using alternative theories such as Dempster-Shafer theory [23].…”

Section: Quantifying Uncertaintymentioning

confidence: 99%

“…Dempster-Shafer theory has unique advantages in handling uncertainty in intrusion analysis, namely, the ability to deal with the lack of prior probabilities for all (singleton) events and the ability to combine beliefs from multiple sources of evidence [6,7,34]. In this paper we present an extended Dempster-Shafer model that addresses the fundamental issues in applying DS in intrusion analysis, as mentioned in 1.1.…”

Section: Our Contributionsmentioning

confidence: 99%

Prioritizing intrusion analysis using Dempster-Shafer theory

Zomlot

Sundaramurthy

Luo

et al. 2011

Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence

View full text Add to dashboard Cite

Intrusion analysis and incident management remains a difficult problem in practical network security defense. The root cause of this problem is the large rate of false positives in the sensors used by Intrusion Detection System (IDS) systems, reducing the value of the alerts to an administrator. Standard Bayesian theory has not been effective in this regard because of the lack of good prior knowledge. This paper presents an approach to handling such uncertainty without the need for prior information, through the Dempster-Shafer (DS) theory. We address a number of practical but fundamental issues in applying DS to intrusion analysis, including how to model sensors' trustworthiness, where to obtain such parameters, and how to address the lack of independence among alerts. We present an efficient algorithm for carrying out DS belief calculation on an IDS alert correlation graph, so that one can compute a belief score for a given hypothesis, e.g. a specific machine is compromised. The belief strength can be used to sort incident-related hypotheses and prioritize further analysis by a human analyst of the hypotheses and the associated evidence. We have implemented our approach for the open-source IDS system Snort and evaluated its effectiveness on a number of data sets as well as a production network. The resulting belief scores were verified through both anecdotal experience on the production system as well as by comparing the belief rankings of hypotheses with the ground truths provided by the data sets we used in evaluation, showing thereby that belief scores can be effective in mitigating the high false positive rate problem in intrusion analysis.

show abstract

Alert confidence fusion in intrusion detection systems with extended Dempster-Shafer theory

Cited by 48 publications

References 11 publications

Manual and Automatic assigned thresholds in multi‐layer data fusion intrusion detection system for 802.11 attacks

Manual and Automatic assigned thresholds in multi‐layer data fusion intrusion detection system for 802.11 attacks

An automatic and self-adaptive multi-layer data fusion system for WiFi attack detection

Prioritizing intrusion analysis using Dempster-Shafer theory

Contact Info

Product

Resources

About