Addressing Low Base Rates in Intrusion Detection via Uncertainty-Bounding Multi-Step Analysis

PDF
1.0MB

Robert Cole
The Pennsylvania State University College of Information Sciences and Technology
United States

Peng Liu
The Pennsylvania State University College of Information Sciences and Technology
United States

Abstract:
Existing approaches to characterizing intrusion detection systems focus on detection performance of single exploits under test conditions. While it is well-understood that operational conditions may differ from test conditions and exploits are often chained to accomplish a particular attack goal, little attention has been paid to the question of assessing the impacts of these factors on IDS inferences. In this paper we examine the effect on IDS results of parameter estimation errors in the context of multi-step attacks. We derive bounds on posterior uncertainty for 2, 3, 4 and 5-step linear exploit chains. Knowledge of such bounds introduces the novel prospect of a confidence versus agility tradeoff in IDS administration. Such a tradeoff could give administrators flexibility in IDS configuration, allowing them to choose detection confidence at the price of detection latency, according to organizational priorities.