Autonomic Parameter Tuning of Anomaly-Based IDSs: an SSH Case Study

Anomaly-based intrusion detection systems classify network traffic instances by comparing them with a model of the normal network behavior. To be effective, such systems are expected to precisely detect intrusions (high true positive rate) while limiting the number of false alarms (low false positiv...

Full description

Saved in:
Bibliographic Details
Published in:IEEE eTransactions on network and service management 2012-06, Vol.9 (2), p.128-141
Main Authors: Sperotto, A., Mandjes, M., Sadre, R., de Boer, P., Pras, A.
Format: Article
Language:English
Subjects:
Anomalies
Autonomic
Dictionaries
False alarms
Hidden Markov models
Intrusion
Intrusion detection
Intrusion detection systems
Mathematical models
Measurement
network management
Networks
Optimization
parameter optimization
Studies
Time series analysis
Tradeoffs
Traffic engineering
Traffic flow
Tuning
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Anomaly-based intrusion detection systems classify network traffic instances by comparing them with a model of the normal network behavior. To be effective, such systems are expected to precisely detect intrusions (high true positive rate) while limiting the number of false alarms (low false positive rate). However, there exists a natural trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing any false alarms). The parameters of a detection system play a central role in this trade-off, since they determine how responsive the system is to an intrusion attempt. Despite the importance of properly tuning the system parameters, the literature has put little emphasis on the topic, and the task of adjusting such parameters is usually left to the expertise of the system manager or expert IT personnel. In this paper, we present an autonomic approach for tuning the parameters of anomaly-based intrusion detection systems in case of SSH traffic. We propose a procedure that aims to automatically tune the system parameters and, by doing so, to optimize the system performance. We validate our approach by testing it on a flow-based probabilistic detection system for the detection of SSH attacks.
ISSN:1932-4537
1932-4537
DOI:10.1109/TNSM.2012.031512.110146