Towards an information-theoretic framework for analyzing intrusion detection systems

G. Gu; P. Fogla; D. Dagon; W. Lee; B. Skoric

doi:10.1007/11863908_32

Towards an information-theoretic framework for analyzing intrusion detection systems

G. Gu, P. Fogla, D. Dagon, W. Lee, B. Skoric

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

21 Citations (Scopus)

Abstract

IDS research still needs to strengthen mathematical foundations and theoretic guidelines. In this paper, we build a formal framework, based on information theory, for analyzing and quantifying the effectiveness of an IDS. We firstly present a formal IDS model, then analyze it following an information-theoretic approach. Thus, we propose a set of information-theoretic metrics that can quantitatively measure the effectiveness of an IDS in terms of feature representation capability, classification information loss, and overall intrusion detection capability. We establish a link to relate these metrics, and prove a fundamental upper bound on the intrusion detection capability of an IDS. Our framework is a practical theory which is data trace driven and evaluation oriented in this area. In addition to grounding IDS research on a mathematical theory for formal study, this framework provides practical guidelines for IDS fine-tuning, evaluation and design, that is, the provided set of metrics greatly facilitates a static/dynamic fine-tuning of an IDS to achieve optimal operation and a fine-grained means to evaluate IDS performance and improve IDS design. We conduct experiments to demonstrate the utility of our framework in practice.

Original language	English
Title of host publication	Computer Security - ESORICS 2006 : 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings
Editors	D. Gollmann, J. Meier, A. Sabelfeld
Place of Publication	Berlin
Publisher	Springer
Pages	527-546
ISBN (Print)	3-540-44601-X, 978-3-540-44601-9
DOIs	https://doi.org/10.1007/11863908_32
Publication status	Published - 2006
Event	11th European Symposium on Research in Computer Security (ESORICS 2006) - University of Hamburg, Hamburg, Germany Duration: 18 Sep 2006 → 20 Sep 2006 Conference number: 11 http://www.esorics06.tu-harburg.de/

Publication series

Name	Lecture Notes in Computer Science
Volume	4189
ISSN (Print)	0302-9743

Conference

Conference	11th European Symposium on Research in Computer Security (ESORICS 2006)
Abbreviated title	ESORICS 2006
Country/Territory	Germany
City	Hamburg
Period	18/09/06 → 20/09/06
Internet address	http://www.esorics06.tu-harburg.de/

Access to Document

10.1007/11863908_32

Cite this

Gu, G., Fogla, P., Dagon, D., Lee, W., & Skoric, B. (2006). Towards an information-theoretic framework for analyzing intrusion detection systems. In D. Gollmann, J. Meier, & A. Sabelfeld (Eds.), Computer Security - ESORICS 2006 : 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings (pp. 527-546). (Lecture Notes in Computer Science; Vol. 4189). Springer. https://doi.org/10.1007/11863908_32

Gu, G. ; Fogla, P. ; Dagon, D. et al. / Towards an information-theoretic framework for analyzing intrusion detection systems. Computer Security - ESORICS 2006 : 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings. editor / D. Gollmann ; J. Meier ; A. Sabelfeld. Berlin : Springer, 2006. pp. 527-546 (Lecture Notes in Computer Science).

@inproceedings{1e322231105d410287f389049864d99f,

title = "Towards an information-theoretic framework for analyzing intrusion detection systems",

abstract = "IDS research still needs to strengthen mathematical foundations and theoretic guidelines. In this paper, we build a formal framework, based on information theory, for analyzing and quantifying the effectiveness of an IDS. We firstly present a formal IDS model, then analyze it following an information-theoretic approach. Thus, we propose a set of information-theoretic metrics that can quantitatively measure the effectiveness of an IDS in terms of feature representation capability, classification information loss, and overall intrusion detection capability. We establish a link to relate these metrics, and prove a fundamental upper bound on the intrusion detection capability of an IDS. Our framework is a practical theory which is data trace driven and evaluation oriented in this area. In addition to grounding IDS research on a mathematical theory for formal study, this framework provides practical guidelines for IDS fine-tuning, evaluation and design, that is, the provided set of metrics greatly facilitates a static/dynamic fine-tuning of an IDS to achieve optimal operation and a fine-grained means to evaluate IDS performance and improve IDS design. We conduct experiments to demonstrate the utility of our framework in practice.",

author = "G. Gu and P. Fogla and D. Dagon and W. Lee and B. Skoric",

year = "2006",

doi = "10.1007/11863908_32",

language = "English",

isbn = "3-540-44601-X",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "527--546",

editor = "D. Gollmann and J. Meier and A. Sabelfeld",

booktitle = "Computer Security - ESORICS 2006 : 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings",

address = "Germany",

note = "11th European Symposium on Research in Computer Security (ESORICS 2006), ESORICS 2006 ; Conference date: 18-09-2006 Through 20-09-2006",

url = "http://www.esorics06.tu-harburg.de/",

}

Gu, G, Fogla, P, Dagon, D, Lee, W & Skoric, B 2006, Towards an information-theoretic framework for analyzing intrusion detection systems. in D Gollmann, J Meier & A Sabelfeld (eds), Computer Security - ESORICS 2006 : 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4189, Springer, Berlin, pp. 527-546, 11th European Symposium on Research in Computer Security (ESORICS 2006), Hamburg, Germany, 18/09/06. https://doi.org/10.1007/11863908_32

Towards an information-theoretic framework for analyzing intrusion detection systems. / Gu, G.; Fogla, P.; Dagon, D. et al.

Computer Security - ESORICS 2006 : 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings. ed. / D. Gollmann; J. Meier; A. Sabelfeld. Berlin : Springer, 2006. p. 527-546 (Lecture Notes in Computer Science; Vol. 4189).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Towards an information-theoretic framework for analyzing intrusion detection systems

AU - Gu, G.

AU - Fogla, P.

AU - Dagon, D.

AU - Lee, W.

AU - Skoric, B.

N1 - Conference code: 11

PY - 2006

Y1 - 2006

N2 - IDS research still needs to strengthen mathematical foundations and theoretic guidelines. In this paper, we build a formal framework, based on information theory, for analyzing and quantifying the effectiveness of an IDS. We firstly present a formal IDS model, then analyze it following an information-theoretic approach. Thus, we propose a set of information-theoretic metrics that can quantitatively measure the effectiveness of an IDS in terms of feature representation capability, classification information loss, and overall intrusion detection capability. We establish a link to relate these metrics, and prove a fundamental upper bound on the intrusion detection capability of an IDS. Our framework is a practical theory which is data trace driven and evaluation oriented in this area. In addition to grounding IDS research on a mathematical theory for formal study, this framework provides practical guidelines for IDS fine-tuning, evaluation and design, that is, the provided set of metrics greatly facilitates a static/dynamic fine-tuning of an IDS to achieve optimal operation and a fine-grained means to evaluate IDS performance and improve IDS design. We conduct experiments to demonstrate the utility of our framework in practice.

AB - IDS research still needs to strengthen mathematical foundations and theoretic guidelines. In this paper, we build a formal framework, based on information theory, for analyzing and quantifying the effectiveness of an IDS. We firstly present a formal IDS model, then analyze it following an information-theoretic approach. Thus, we propose a set of information-theoretic metrics that can quantitatively measure the effectiveness of an IDS in terms of feature representation capability, classification information loss, and overall intrusion detection capability. We establish a link to relate these metrics, and prove a fundamental upper bound on the intrusion detection capability of an IDS. Our framework is a practical theory which is data trace driven and evaluation oriented in this area. In addition to grounding IDS research on a mathematical theory for formal study, this framework provides practical guidelines for IDS fine-tuning, evaluation and design, that is, the provided set of metrics greatly facilitates a static/dynamic fine-tuning of an IDS to achieve optimal operation and a fine-grained means to evaluate IDS performance and improve IDS design. We conduct experiments to demonstrate the utility of our framework in practice.

U2 - 10.1007/11863908_32

DO - 10.1007/11863908_32

M3 - Conference contribution

SN - 3-540-44601-X

SN - 978-3-540-44601-9

T3 - Lecture Notes in Computer Science

SP - 527

EP - 546

BT - Computer Security - ESORICS 2006 : 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings

A2 - Gollmann, D.

A2 - Meier, J.

A2 - Sabelfeld, A.

PB - Springer

CY - Berlin

T2 - 11th European Symposium on Research in Computer Security (ESORICS 2006)

Y2 - 18 September 2006 through 20 September 2006

ER -

Gu G, Fogla P, Dagon D, Lee W, Skoric B. Towards an information-theoretic framework for analyzing intrusion detection systems. In Gollmann D, Meier J, Sabelfeld A, editors, Computer Security - ESORICS 2006 : 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings. Berlin: Springer. 2006. p. 527-546. (Lecture Notes in Computer Science). doi: 10.1007/11863908_32

Towards an information-theoretic framework for analyzing intrusion detection systems

Abstract

Publication series

Conference

Access to Document

Fingerprint

Cite this