Abstract
An intrusion detection system usually infers the status of an unknown behavior from limited available ones via model generalization, but the generalization is not perfect. Most existing techniques use it blindly (or only based on specific datasets at least) without considering the difference among various application scenarios. For example, signature-based ones use signatures generated from specific occurrence environments, anomaly-based ones are usually evaluated by a specific dataset. To make matters worse, various techniques have been introduced recently to exploit too stingy or too generous generalization that causes intrusion detection invalid, for example, mimicry attacks, automatic signature variation generation etc. Therefore, a critical task in intrusion detection is to evaluate the effects of model generalization. In this paper, we try to meet the task. First, we divide model generalization into several levels, which are evaluated one by one to identify their significance on intrusion detection. Among our experimental results, the significance of different levels is much different. Under-generalization will sacrifice the detection performance, but over-generalization will not lead to any benefit. Moreover, model generalization is necessary to identify more behaviors in detection, but its implications for normal behaviors are different from those for intrusive ones.
Please use the following formal when citing this capter: Li, Z., Das, A., and Zhou, J., 2007, in IFIP international Federation for information Processing, Volume 232, New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter, H., Eloff, M, Labuschagne, L., EiotY, J., von Soims, R., (Boston: Springer), pp. 421–432.
Chapter PDF
Similar content being viewed by others
References
K.P. Anchor, J.B. Zydallis, G.H. Gunsch, and G.B. Lamont. Extending the computer defense immune system: Network intrusion detection with a multiobjective evolutionary programming approach. In ICARIS 2002: 1st International Conference on Artificial Immune Systems Conference Proceedings, 2002.
S.N. Chari and P. Cheng. BlueBox: A Policy-Driven, Host-based Intrusion Detection System. A CM Transaction on Infomation and System Security, 6(2): 173–200, May 2003.
The KDD CUP 1999 Contest Dataset. As of January, 2006. http://www.cse.ucsd.edu/users/elkan/clresults.html, 1999.
David E. Goldberg. Genetic algorithms in search, optimization, and machine learning. Addison-Wesley Pub. Co., 1989.
W. Lee and S.J. Stolfo. A framework for contructing features and models for intrusion detection systems. ACM Transactions on Information and System Security, 3(4):227–261, Nov. 2000.
Zhuowei Li, Amitabha Das, and Jianying Zhou. Theoretical basis for intrusion detection. In Proceedings of 6th IEEE Information Assurance Workshop (IAW), West Point, NY, USA, June 2005. IEEE SMC Society.
Shai Rubin, Somesh Jha, and Barton P. Miller. Automatic generation and analysis of nids attacks. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC’04), pages 28–38, 2004.
Shai Rubin, Somesh Jha, and Barton P. Miller. Language-based generation and evaluation of nids signatures. In Proceedings of S&P’05, pages 3–17, 2005.
Alfonso Valdes and Keith Skinner. Adaptive, model-based monitoring for cyber attack detection. In Proceedings of RAID’ 00, pages 80–92, October 2000.
Giovanni Vigna, William Robertson, and Davide Balzarotti. Testing networkbased intrusion detection signatures using mutant exploits. In Proceedings of CCS’04, pages 21–30, 2004.
David Wagner and Paolo Soto. Mimicry attacks on host-based intrusion detection systems. In Proceedings of CCS’02, pages 255–264, 2002.
K. Wang and S.J. Stolfo. Anomalyous payload-based network intrusion detection. In Proceedings of RAID, 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Li, Z., Das, A., Zhou, J. (2007). Evaluating the Effects of Model Generalization on Intrusion Detection Performance. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds) New Approaches for Security, Privacy and Trust in Complex Environments. SEC 2007. IFIP International Federation for Information Processing, vol 232. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-72367-9_36
Download citation
DOI: https://doi.org/10.1007/978-0-387-72367-9_36
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-72366-2
Online ISBN: 978-0-387-72367-9
eBook Packages: Computer ScienceComputer Science (R0)