Abstract
IDS research still needs to strengthen mathematical foundations and theoretic guidelines. In this paper, we build a formal framework, based on information theory, for analyzing and quantifying the effectiveness of an IDS. We firstly present a formal IDS model, then analyze it following an information-theoretic approach. Thus, we propose a set of information-theoretic metrics that can quantitatively measure the effectiveness of an IDS in terms of feature representation capability, classification information loss, and overall intrusion detection capability. We establish a link to relate these metrics, and prove a fundamental upper bound on the intrusion detection capability of an IDS. Our framework is a practical theory which is data trace driven and evaluation oriented in this area. In addition to grounding IDS research on a mathematical theory for formal study, this framework provides practical guidelines for IDS fine-tuning, evaluation and design, that is, the provided set of metrics greatly facilitates a static/dynamic fine-tuning of an IDS to achieve optimal operation and a fine-grained means to evaluate IDS performance and improve IDS design. We conduct experiments to demonstrate the utility of our framework in practice.
Chapter PDF
Similar content being viewed by others
Keywords
- Mutual Information
- Intrusion Detection
- Information Loss
- Intrusion Detection System
- Feature Representation
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Kdd cup 1999 data (2006), Available at: http://kdd.ics.uci.edu/databases/kddcup99/
Amor, N.B., Benferhat, S., Elouedi, Z.: Naive bayes vs decision trees in intrusion detection systems. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357. Springer, Heidelberg (2004)
Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: Proceedings of ACM CCS 1999 (November 1999)
Axelsson, S.: A preliminary attempt to apply detection and estimation theory to intrusion detection. Technical Report 00-4, Dept. of Computer Engineering, Chalmers Univerity of Technology, Sweden (March 2000)
Cardenas, A., Seamon, K., Baras, J.: A Framework for the Evaluation of Intrusion Detection Systems. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, California (May 2006)
Cover, T., Thomas, J.: Elements of Information Theory. John Wiley, Chichester (1991)
Di Crescenzo, G., Ghosh, A., Talpade, R.: Towards a theory of intrusion detection. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 267–286. Springer, Heidelberg (2005)
Debar, H., Dacier, M., Wespi, A.: Towards a taxonomy of intrusion-detection systems. Computer Networks 31(8), 805–822 (1999)
Denning, D.: An intrusion-detection model. IEEE Transactions on Software Engineering 2 (February 1987)
Gu, G., Fogla, P., Dagon, D., Lee, W., Skoric, B.: Measuring intrusion detection capability: An information-theoretic approach. In: Proceedings of ACM Symposium on InformAction, Computer and Communications Security (ASIACCS 2006) (March 2006)
Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: Proc. USENIX Security Symposium 2001 (2001)
Helman, P., Liepins, G.: Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering 19(9) (September 1993)
Hu, W., Liao, Y., Vemuri, V.R.: Robust support vector machines for anomaly detection in computer security. In: Proc. 2003 International Conference on Machine Learning and Applications (ICMLA 2003) (2003)
Kim, H.-A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: USENIX Security Symposium, pp. 271–286 (2004)
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: SIGCOMM 2005 (2005)
Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (May 2001)
Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security (TISSEC) 3(4), 227–261 (2000)
Massachusetts Institute of Technology Lincoln Laboratory. 1998 darpa intrusion detection evaluation data set overview (2005), http://www.ll.mit.edu/IST/ideval/
Lunt, T.F.: Panel:foundations for intrusion detection. In: Proc. 13th Computer Security Foundations Workshop (CSFW 2000) (2000)
McHugh, J.: Testing intrusion detection systems: A critique of the 1998 and 1999 darpa off-line intrusion detection system evaluation as performed by lincoln laboratory. ACM Transactions on Information and System Security 3(4) (November 2000)
Mitchell, T.: Machine Learning. McGraw-Hill, New York (1997)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE S&P 2005 (2005)
Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23–24), 2435–2463 (1999)
Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks Inc. (January 1998)
Puketza, N.J., Zhang, K., Chung, M., Mukherjee, B., Olsson, R.A.: A methodology for testing intrusion detection systems. IEEE Transactions on Software Engineering 22(10), 719–729 (1996)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of USENIX LISA 1999 (1999)
Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: CCS 2003 (2003)
Song, T., Ko, C., Alves-Foss, J., Zhang, C., Levitt, K.N.: Formal reasoning about intrusion detection systems. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 278–295. Springer, Heidelberg (2004)
Nikto, S. (2006), Available at: http://www.cirt.net/code/nikto.shtml
Vapnik, V.N.: The Nature of Statistical Learning Theory. Springer, Heidelberg (1995)
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gu, G., Fogla, P., Dagon, D., Lee, W., Skoric, B. (2006). Towards an Information-Theoretic Framework for Analyzing Intrusion Detection Systems. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds) Computer Security – ESORICS 2006. ESORICS 2006. Lecture Notes in Computer Science, vol 4189. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11863908_32
Download citation
DOI: https://doi.org/10.1007/11863908_32
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44601-9
Online ISBN: 978-3-540-44605-7
eBook Packages: Computer ScienceComputer Science (R0)