Measuring intrusion detection capability : an information-theoretic approach

G. Gu; P. Fogla; D. Dagon; W. Lee; B. Skoric

doi:10.1145/1128817.1128834

Measuring intrusion detection capability : an information-theoretic approach

G. Gu, P. Fogla, D. Dagon, W. Lee, B. Skoric

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

136 Citations (Scopus)

Abstract

A fundamental problem in intrusion detection is what metric(s) can be used to objectively evaluate an intrusion detection system (IDS) in terms of its ability to correctly classify events as normal or intrusive. Traditional metrics (e.g., true positive rate and false positive rate) measure different aspects, but no single metric seems sufficient to measure the capability of intrusion detection systems. The lack of a single unified metric makes it difficult to fine-tune and evaluate an IDS. In this paper, we provide an in-depth analysis of existing metrics. Specifically, we analyze a typical cost-based scheme [6], and demonstrate that this approach is very confusing and ineffective when the cost factor is not carefully selected. In addition, we provide a novel information-theoretic analysis of IDS and propose a new metric that highly complements cost-based analysis. When examining the intrusion detection process from an information-theoretic point of view, intuitively, we should have less uncertainty about the input (event data) given the IDS output (alarm data). Thus, our new metric, CI D (Intrusion Detection Capability), is defined as the ratio of the mutual information between the IDS input and output to the entropy of the input. CI D has the desired property that: (1) It takes into account all the important aspects of detection capability naturally, i.e., true positive rate, false positive rate, positive predictive value, negative predictive value, and base rate; (2) it objectively provides an intrinsic measure of intrusion detection capability; and (3) it is sensitive to IDS operation parameters such as true positive rate and false positive rate, which can demonstrate the effect of the subtle changes of intrusion detection systems. We propose CI D as an appropriate performance measure to maximize when fine-tuning an IDS. The obtained operation point is the best that can be achieved by the IDS in terms of its intrinsic ability to classify input data. We use numerical examples as well as experiments of actual IDSs on various data sets to show that by using CI D, we can choose the best (optimal) operating point for an IDS and objectively compare different IDSs.

Original language	English
Title of host publication	Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006, Taipei, Taiwan, March 21-24, 2006)
Editors	F.C. Lin, D.T. Lee, B.S. Lin, S. Shieh, S. Jajodia
Place of Publication	Providence
Publisher	Association for Computing Machinery, Inc.
Pages	90-101
ISBN (Print)	1-59593-272-0
DOIs	https://doi.org/10.1145/1128817.1128834
Publication status	Published - 2006
Event	2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006) - Taipe, Taiwan Duration: 21 Mar 2006 → 24 Mar 2006

Conference

Conference	2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006)
Abbreviated title	ASIACCS 2006
Country/Territory	Taiwan
City	Taipe
Period	21/03/06 → 24/03/06

Access to Document

10.1145/1128817.1128834

Cite this

Gu, G., Fogla, P., Dagon, D., Lee, W., & Skoric, B. (2006). Measuring intrusion detection capability : an information-theoretic approach. In F. C. Lin, D. T. Lee, B. S. Lin, S. Shieh, & S. Jajodia (Eds.), Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006, Taipei, Taiwan, March 21-24, 2006) (pp. 90-101). Association for Computing Machinery, Inc.. https://doi.org/10.1145/1128817.1128834

Gu, G. ; Fogla, P. ; Dagon, D. et al. / Measuring intrusion detection capability : an information-theoretic approach. Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006, Taipei, Taiwan, March 21-24, 2006). editor / F.C. Lin ; D.T. Lee ; B.S. Lin ; S. Shieh ; S. Jajodia. Providence : Association for Computing Machinery, Inc., 2006. pp. 90-101

@inproceedings{560edbf5d89748a2992496d5fcfb7234,

title = "Measuring intrusion detection capability : an information-theoretic approach",

abstract = "A fundamental problem in intrusion detection is what metric(s) can be used to objectively evaluate an intrusion detection system (IDS) in terms of its ability to correctly classify events as normal or intrusive. Traditional metrics (e.g., true positive rate and false positive rate) measure different aspects, but no single metric seems sufficient to measure the capability of intrusion detection systems. The lack of a single unified metric makes it difficult to fine-tune and evaluate an IDS. In this paper, we provide an in-depth analysis of existing metrics. Specifically, we analyze a typical cost-based scheme [6], and demonstrate that this approach is very confusing and ineffective when the cost factor is not carefully selected. In addition, we provide a novel information-theoretic analysis of IDS and propose a new metric that highly complements cost-based analysis. When examining the intrusion detection process from an information-theoretic point of view, intuitively, we should have less uncertainty about the input (event data) given the IDS output (alarm data). Thus, our new metric, CI D (Intrusion Detection Capability), is defined as the ratio of the mutual information between the IDS input and output to the entropy of the input. CI D has the desired property that: (1) It takes into account all the important aspects of detection capability naturally, i.e., true positive rate, false positive rate, positive predictive value, negative predictive value, and base rate; (2) it objectively provides an intrinsic measure of intrusion detection capability; and (3) it is sensitive to IDS operation parameters such as true positive rate and false positive rate, which can demonstrate the effect of the subtle changes of intrusion detection systems. We propose CI D as an appropriate performance measure to maximize when fine-tuning an IDS. The obtained operation point is the best that can be achieved by the IDS in terms of its intrinsic ability to classify input data. We use numerical examples as well as experiments of actual IDSs on various data sets to show that by using CI D, we can choose the best (optimal) operating point for an IDS and objectively compare different IDSs. ",

author = "G. Gu and P. Fogla and D. Dagon and W. Lee and B. Skoric",

year = "2006",

doi = "10.1145/1128817.1128834",

language = "English",

isbn = "1-59593-272-0",

pages = "90--101",

editor = "F.C. Lin and D.T. Lee and B.S. Lin and S. Shieh and S. Jajodia",

booktitle = "Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006, Taipei, Taiwan, March 21-24, 2006)",

publisher = "Association for Computing Machinery, Inc.",

address = "United States",

note = "2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006), ASIACCS 2006 ; Conference date: 21-03-2006 Through 24-03-2006",

}

Gu, G, Fogla, P, Dagon, D, Lee, W & Skoric, B 2006, Measuring intrusion detection capability : an information-theoretic approach. in FC Lin, DT Lee, BS Lin, S Shieh & S Jajodia (eds), Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006, Taipei, Taiwan, March 21-24, 2006). Association for Computing Machinery, Inc., Providence, pp. 90-101, 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006), Taipe, Taiwan, 21/03/06. https://doi.org/10.1145/1128817.1128834

Measuring intrusion detection capability : an information-theoretic approach. / Gu, G.; Fogla, P.; Dagon, D. et al.
Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006, Taipei, Taiwan, March 21-24, 2006). ed. / F.C. Lin; D.T. Lee; B.S. Lin; S. Shieh; S. Jajodia. Providence: Association for Computing Machinery, Inc., 2006. p. 90-101.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Measuring intrusion detection capability : an information-theoretic approach

AU - Gu, G.

AU - Fogla, P.

AU - Dagon, D.

AU - Lee, W.

AU - Skoric, B.

PY - 2006

Y1 - 2006

N2 - A fundamental problem in intrusion detection is what metric(s) can be used to objectively evaluate an intrusion detection system (IDS) in terms of its ability to correctly classify events as normal or intrusive. Traditional metrics (e.g., true positive rate and false positive rate) measure different aspects, but no single metric seems sufficient to measure the capability of intrusion detection systems. The lack of a single unified metric makes it difficult to fine-tune and evaluate an IDS. In this paper, we provide an in-depth analysis of existing metrics. Specifically, we analyze a typical cost-based scheme [6], and demonstrate that this approach is very confusing and ineffective when the cost factor is not carefully selected. In addition, we provide a novel information-theoretic analysis of IDS and propose a new metric that highly complements cost-based analysis. When examining the intrusion detection process from an information-theoretic point of view, intuitively, we should have less uncertainty about the input (event data) given the IDS output (alarm data). Thus, our new metric, CI D (Intrusion Detection Capability), is defined as the ratio of the mutual information between the IDS input and output to the entropy of the input. CI D has the desired property that: (1) It takes into account all the important aspects of detection capability naturally, i.e., true positive rate, false positive rate, positive predictive value, negative predictive value, and base rate; (2) it objectively provides an intrinsic measure of intrusion detection capability; and (3) it is sensitive to IDS operation parameters such as true positive rate and false positive rate, which can demonstrate the effect of the subtle changes of intrusion detection systems. We propose CI D as an appropriate performance measure to maximize when fine-tuning an IDS. The obtained operation point is the best that can be achieved by the IDS in terms of its intrinsic ability to classify input data. We use numerical examples as well as experiments of actual IDSs on various data sets to show that by using CI D, we can choose the best (optimal) operating point for an IDS and objectively compare different IDSs.

AB - A fundamental problem in intrusion detection is what metric(s) can be used to objectively evaluate an intrusion detection system (IDS) in terms of its ability to correctly classify events as normal or intrusive. Traditional metrics (e.g., true positive rate and false positive rate) measure different aspects, but no single metric seems sufficient to measure the capability of intrusion detection systems. The lack of a single unified metric makes it difficult to fine-tune and evaluate an IDS. In this paper, we provide an in-depth analysis of existing metrics. Specifically, we analyze a typical cost-based scheme [6], and demonstrate that this approach is very confusing and ineffective when the cost factor is not carefully selected. In addition, we provide a novel information-theoretic analysis of IDS and propose a new metric that highly complements cost-based analysis. When examining the intrusion detection process from an information-theoretic point of view, intuitively, we should have less uncertainty about the input (event data) given the IDS output (alarm data). Thus, our new metric, CI D (Intrusion Detection Capability), is defined as the ratio of the mutual information between the IDS input and output to the entropy of the input. CI D has the desired property that: (1) It takes into account all the important aspects of detection capability naturally, i.e., true positive rate, false positive rate, positive predictive value, negative predictive value, and base rate; (2) it objectively provides an intrinsic measure of intrusion detection capability; and (3) it is sensitive to IDS operation parameters such as true positive rate and false positive rate, which can demonstrate the effect of the subtle changes of intrusion detection systems. We propose CI D as an appropriate performance measure to maximize when fine-tuning an IDS. The obtained operation point is the best that can be achieved by the IDS in terms of its intrinsic ability to classify input data. We use numerical examples as well as experiments of actual IDSs on various data sets to show that by using CI D, we can choose the best (optimal) operating point for an IDS and objectively compare different IDSs.

U2 - 10.1145/1128817.1128834

DO - 10.1145/1128817.1128834

M3 - Conference contribution

SN - 1-59593-272-0

SP - 90

EP - 101

BT - Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006, Taipei, Taiwan, March 21-24, 2006)

A2 - Lin, F.C.

A2 - Lee, D.T.

A2 - Lin, B.S.

A2 - Shieh, S.

A2 - Jajodia, S.

PB - Association for Computing Machinery, Inc.

CY - Providence

T2 - 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006)

Y2 - 21 March 2006 through 24 March 2006

ER -

Gu G, Fogla P, Dagon D, Lee W, Skoric B. Measuring intrusion detection capability : an information-theoretic approach. In Lin FC, Lee DT, Lin BS, Shieh S, Jajodia S, editors, Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006, Taipei, Taiwan, March 21-24, 2006). Providence: Association for Computing Machinery, Inc. 2006. p. 90-101 doi: 10.1145/1128817.1128834

Measuring intrusion detection capability : an information-theoretic approach

Abstract

Conference

Access to Document

Fingerprint

Cite this