Abstract
To make up for the incompleteness of the known behaviors of a computing resource, model generalization is utilized to infer more behaviors in the behavior model besides the known behaviors. In principle, model generalization can improve the detection rate but may also degrade the detection performance. Therefore, the relation between model generalization and detection performance is critical for intrusion detection. However, most of past research only evaluates the overall efficiency of an intrusion detection technique via detection rate and false alarm/positive rate, rather than the usefulness of model generalization for intrusion detection. In this paper, we try to do such evaluation, and then to find the implications of model generalization on intrusion detection. Within our proposed methodology, model generalization can be achieved in three levels. In this paper, we evaluate the first level model generalization. The experimental results show that the first level model generalization is useful mostly to enhance the detection performance of intrusion detection. However, its implications for intrusion detection are different with respect to different detection techniques. Our studies show that in general, though it is useful to generalize the normal behavior model so that more normal behaviors can be identified as such, the same is not advisable for the intrusive behavior model. Therefore, the intrusion signatures should be built compactly without first level generalization.
Chapter PDF
Similar content being viewed by others
References
Anchor, K.P., Zydallis, J.B., Gunsch, G.H., Lamont, G.B.: Extending the computer defense immune system: Network intrusion detection with a multiobjective evolutionary programming approach. In: ICARIS 2002: 1st International Conference on Artificial Immune Systems Conference Proceedings (2002)
Chari, S.N., Cheng, P.: BlueBox: A Policy-Driven, Host-based Intrusion Detection System. ACM Transaction on Infomation and System Security 6(2), 173–200 (2003)
Debar, H., Dacier, M., Wespi, A.: A revised taxonomy for intrusion detection systems. Annales des Telecommunications 55(7-8), 361–378 (2000)
Denning, D.E.: An intrusion detection model. IEEE Transaction on Software Engineering SE-13(2), 222–232 (1987)
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In: Barbara, D., Jajodia, S. (eds.) Applications of Data Mining in Computer Security. Kluwer, Dordrecht (2002)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)
Javits, H., Valdes, A.: The NIDES statistical component: Description and justification. SRI Anual Report A010, SRI International, Computer Science Laboratory (March 1993)
Lee, W., Miller, M., Stolfo, S.: Toward cost-sensitive modeling for intrusion detection. Technical Report No. CUCS-002-00, Computer Science,Columbia University (2000)
Lee, W., Stolfo, S.J.: A framework for contructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 3(4), 227–261 (2000)
Li, Z., Das, A.: Analyzing and Improving the Performance of a Class of Anomaly-based Intrusion Detectors. In: CoRR cs.CR/0410068 (2004)
Li, Z., Das, A., Zhou, J.: Unifying Signature-based and Anomaly-based Intrusion Detection. In: Ho, T.-B., Cheung, D., Liu, H. (eds.) PAKDD 2005. LNCS (LNAI), vol. 3518. Springer, Heidelberg (2005)
Liao, Y., Vemuri, V.R.: Using text categorization techniques for intrusion detection. In: Usenix: Security (August 2002)
Mahoney, M.V., Chan, P.K.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: SIGKDD 2002 (July 23-26, 2002)
Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 80–92. Springer, Heidelberg (2000)
Vigna, G., Kemmerer, R.A.: NetSTAT: A Network-based Intrusion Detection System. Journal of Computer Security 7(1), 37–71 (1999)
Wang, K., Stolfo, S.J.: Anomalyous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Li, Z., Das, A., Zhou, J. (2005). Model Generalization and Its Implications on Intrusion Detection. In: Ioannidis, J., Keromytis, A., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2005. Lecture Notes in Computer Science, vol 3531. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11496137_16
Download citation
DOI: https://doi.org/10.1007/11496137_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26223-7
Online ISBN: 978-3-540-31542-1
eBook Packages: Computer ScienceComputer Science (R0)