Towards an information-theoretic framework for analyzing intrusion detection systems

G. Gu, P. Fogla, D. Dagon, W. Lee, B. Skoric

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    19 Citations (Scopus)

    Abstract

    IDS research still needs to strengthen mathematical foundations and theoretic guidelines. In this paper, we build a formal framework, based on information theory, for analyzing and quantifying the effectiveness of an IDS. We firstly present a formal IDS model, then analyze it following an information-theoretic approach. Thus, we propose a set of information-theoretic metrics that can quantitatively measure the effectiveness of an IDS in terms of feature representation capability, classification information loss, and overall intrusion detection capability. We establish a link to relate these metrics, and prove a fundamental upper bound on the intrusion detection capability of an IDS. Our framework is a practical theory which is data trace driven and evaluation oriented in this area. In addition to grounding IDS research on a mathematical theory for formal study, this framework provides practical guidelines for IDS fine-tuning, evaluation and design, that is, the provided set of metrics greatly facilitates a static/dynamic fine-tuning of an IDS to achieve optimal operation and a fine-grained means to evaluate IDS performance and improve IDS design. We conduct experiments to demonstrate the utility of our framework in practice.
    Original languageEnglish
    Title of host publicationComputer Security - ESORICS 2006 : 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings
    EditorsD. Gollmann, J. Meier, A. Sabelfeld
    Place of PublicationBerlin
    PublisherSpringer
    Pages527-546
    ISBN (Print)3-540-44601-X, 978-3-540-44601-9
    DOIs
    Publication statusPublished - 2006
    Event11th European Symposium on Research in Computer Security (ESORICS 2006) - University of Hamburg, Hamburg, Germany
    Duration: 18 Sep 200620 Sep 2006
    Conference number: 11
    http://www.esorics06.tu-harburg.de/

    Publication series

    NameLecture Notes in Computer Science
    Volume4189
    ISSN (Print)0302-9743

    Conference

    Conference11th European Symposium on Research in Computer Security (ESORICS 2006)
    Abbreviated titleESORICS 2006
    CountryGermany
    CityHamburg
    Period18/09/0620/09/06
    Internet address

    Fingerprint

    Dive into the research topics of 'Towards an information-theoretic framework for analyzing intrusion detection systems'. Together they form a unique fingerprint.

    Cite this