Christopher Kruegel, Darren Mutz, William Robertson, Fredrik Valeur
University of California, Santa Barbara
The constant increase of attacks against networks and their resources necessitates steps to protect these valuable assets. Firewalls are now a common installation to repel intrusion attempts before they develop. Intrusion detection systems (IDS), which try to detect malicious activities instead of preventing them, offer additional protection when the first defense perimeter has been penetrated. These systems attempt to identify attacks by comparing collected data to predefined signatures known to be malicious (misuse-based IDS) or to a model of legal behavior (anomaly-based IDS).
Anomaly-based approaches have the advantage of being able to detect previously unknown attacks, but they suffer from the difficulty of building robust models of acceptable behavior and a high number of false alarms that are caused by unusual but legitimate activity. Almost all current anomaly-based intrusion detection systems classify an input event as normal or anomalous by analyzing its features, utilizing a number of different models. A decision for an input event is made by aggregating the results of all employed models.
We have identified two reasons for the large number of false alarms, caused by incorrect classification of events in current systems. One is the simplistic aggregation of model outputs in the decision phase. Often, only the sum of the model results is calculated and compared to a threshold. The other reason is the lack of integration of additional information into the decision process. This additional information can be related to the models, such as the confidence in a model's output, or from external sources. To mitigate these shortcomings, we propose an event classification scheme that is based on Bayesian networks. Bayesian networks improve the aggregation of different model outputs and allow us to seamlessly incorporate additional information. Experimental results show that the accuracy of the event classification process was significantly improved using the proposed approach.
Keywords: Intrusion Detection, Bayesian Networks, Event Classification
Read Paper (in PDF)