Modeling and Performance Analysis on the Response Capacity against Alert Information in an Intrusion Detection System

Jeon, Yong-Hee; Jang, Jung-Sook; Jang, Jongsoo

doi:10.3745/kipstc.2005.12c.6.855

Cited by 1 publication

(2 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similarly, bursts of messages may be indicative of spam campaigns [32]. Others investigate the negative impact that bursts of network traffic have on the accuracy of anomaly detection [33] or on the possibility that the intrusion detection tools may be unable to cope with an extremely high rate of alerts when they arrive in a major burst [2], [34]. Others propose effective approaches to handling and aggregating bursts of alerts [33], [35].…”

Section: B Prior Work On Burstinessmentioning

confidence: 99%

“…While this lends no new insight as to how to find novel intrusions, understanding and modeling the dynamics of burstiness in intrusion detection would help anticipate the variability of detections over time using established intrusion detection methods. One obvious benefit that would accrue from such a model, if calibrated for a given network, would be to enable a manager of MSSP operations to project the workload and allocate and schedule the efforts of cyber analysts and other resources in a more effective manner (compare with similar arguments in [2]). …”

mentioning

confidence: 99%

See 1 more Smart Citation

Burstiness of Intrusion Detection Process: Empirical Evidence and a Modeling Approach

Harang

Kott

2017

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Abstract-We analyze sets of intrusion detection records observed on the networks of several large, nonresidential organizations protected by a form of intrusion detection and prevention service. Our analyses reveal that the process of intrusion detection in these networks exhibits a significant degree of burstiness as well as strong memory, with burstiness and memory properties that are comparable to those of natural processes driven by threshold effects, but different from bursty human activities. We explore time-series models of these observable network security incidents based on partially observed data using a hidden Markov model with restricted hidden states, which we fit using Markov Chain Monte Carlo techniques. We examine the output of the fitted model with respect to its statistical properties and demonstrate that the model adequately accounts for intrinsic "bursting" within observed network incidents as a result of alternation between two or more stochastic processes. While our analysis does not lead directly to new detection capabilities, the practical implications of gaining better understanding of the observed burstiness are significant, and include opportunities for quantifying a network's risks and defensive efforts.Index Terms-bursty processes, cyber risk assessment, cyber security, estimating undetected malware, malware detection model, predictive models for cyber intrusions I. INTRODUCTION AND MOTIVATION A. MotivationWe explore approaches to modeling the detection process of cyber infections, i.e., presence of malicious softwaremalware -on a computer network. Often, this process is performed by a specialized organization -Managed Security Service Provider (MSSP) [1] -that monitors computer networks, analyzes the information obtained from the network, detects intrusions and activities of malware on the network, and reports such detections to the operators of the network who then take measures necessary to recover from the intrusion. As this research is based on empirical data provided to authors by a MSSP covering several large, non-residential networks, hereafter we use the term MSSP when referring to a network's cyber defenders.

show abstract

Section: B Prior Work On Burstinessmentioning

confidence: 99%

mentioning

confidence: 99%