Abstract
Intrusion detection systems (IDSs) must meet the security goals while minimizing risks of wrong detections. In this paper, we study the issue of building a risk-sensitive intrusion detection model. To determinate whether a system calls sequence is normal or not, we consider not only the probability of this sequence belonging to normal sequences set or intrusion sequences set, but also the risk of a false detection. We define the risk model to formulate the expected risk of an intrusion detection decision, and present risk-sensitive machine learning techniques that can produce detection model to minimize the risks of false negatives and false positives. Meanwhile, this model is a hybrid model that combines misuse intrusion detection and anomaly intrusion detection. To achieve a satisfying performance, some techniques are applied to extend this model.
This paper is supported by Key Nature Science Foundation of Hubei Province under grant 2001ABA001.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
S. Axelsson, “The base-rate fallacy and the dificulty of intrusion detection”, ACM Trans. on Information and System Security, 3(3), 2000, pp.186–205114
J.O. Berger, Statistical decision theory: foundations, concepts, and methods, New York, Springer, 1980, pp.94–96 109
S.M. Bridges and Rayford B. Vaughn, “Fuzzy data mining and genetic algorithms applied to intrusion detection”, Proc. of the Twenty-third National Information Systems Security Conference, Baltimore, MD, October 2000 108
R.K. Cunningham, R.P. Lippmann, and S.E. Webster, “Detecting and displaying novel computer attacks with macroscope”, IEEE Trans. on Systems, Man, and Cybernetics-Part A: Systems and Humans, vol.31, No.4, July 2001, pp.275–281 108
J.E. Dickerson and J.A. Dickerson, “Fuzzy network profiling for intrusion detection”, Proc. of 19th International Conference of the North American, Fuzzy Information Processing Society, 2000, NAFIPS, pp.301–306107
E. Eskin, “Anomaly Detection over Noisy Data using Learned Probability Distributions”, Proc. of ICML00, Palo Alto, CA: July, 2000 111
G. Florez, S. M. Bridges, and R.B. Vaughn, “An improved algorithm for fuzzy data mining for intrusion detection”, Proc. of NAFIPS, Annual Meeting of the North American, Fuzzy Information Processing Society, 2002, pp.457–462 107
S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longsta., “A sense of self for unix processes”, Proc. IEEE Symposium on Security and Privacy, Los Alamitos, CA, 1996, pp.120–128 108, 109, 112, 113
A. Ghosh and A. Schwartzbard, “A study in using neural networks for anomaly and misuse detection”, Proc. of the Eighth USENIX seurity Symposium, 1999 107
J. John E. Gaffney and J.W. Ulvila, “Evaluation of intrusion detectors: a decision theory approach”, IEEE Symposium on Security and Privacy, 2001, pp.50–61 114
S. A. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion detection using sequences of system calls”, Journal of Computer Security, 6, 1998, pp.151–180 108
S. Forrest, S. Hofmeyr, and A. Somayaji “Computer immunology”, Communications of the ACM, 1997, vol.40, No.10, pp.88–96
T. Lane and C. E. Brodley, “Sequence matching and learning in anomaly detection for computer security”, Proc. of the AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Management, 1997, pp.43–49, Menlo Park, CA: AAAI Press 108, 111
T. Lane and C. E. Brodley, “Temporal sequence learning and data reduction for anomaly detection”, Proc. of the Fifth ACM Conference on Computer and Communications Security, 1998, pp.150–158 108
T. Lane and C. E. Brodley, “Temporal sequence learning and data reduction for anomaly detection”, ACM Trans. on Information and System Security, 2, 1999, pp.295–331 108
L. Portnoy, E. Eskin and S. J. Stolfo, “Intrusion detection with unlabeled data using clustering”, Proc. of ACM CSS Workshop on Data Mining Applied to Security (DMSA-2001), Philadelphia, PA: November 5–8, 2001
W. Lee, W. Fan, M. Miller, S. Stolfo, and E. Zadok, “Toward Cost-Sensitive Modeling for Intrusion Detection and Response”, to appear in Journal of Computer Security, 2001
R.P. Lippman, D. J. Fried, I. Graf, J. W. Haines, K.R. Kendall, D. McCllung, D. Weber, S.E. Webster, D. Wyschogrod, R.K. Cunningham, and M.A. Zissman, “Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation”, Proc. of DARPA Information Survivability Conference and Exposition, Jan 25–27, 2000, vol.2, pp.12–26 115
W. Lee and S. Stolfo, “Data Mining Approaches for Intrusion Detection”, Proc. of the Seventh USENIX Security Symposium (SECURITY’ 98), San Antonio, TX, January 1998 107
W. Lee, S. Stolfo, and P. Chan, “Learning Patterns from Unix Process Execution Traces for Intrusion Detection”, Proc. of AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, July 1997 107
J. Marin, D. Ragsdale, and J. Surdu, “A hybrid approach to the profile creation and intrusion detection”, Proc. of DARPA Information Survivability Conference & Exposition II, 2001. DISCEX’ 01. Proc. vol.1, 2001, pp.69–76 108
Y. Okazaki, I. Sato, and S. Goto, “A new Intrusion detection method based on process profiling”, Proc. of the 2002 Symposium on Applications and the Internet (SAINT’02) 108, 109
S. L. Scott, “A Bayesian paradigm for designing intrusion detection systems”, to appear in Computational Statistics and Data Analysis, 2002 108
C. Warrender, S. Forrest, and B. Pearlmutter, “Detecting intrusions using system calls: Alternative data models”, Proc. IEEE Symposium on Security and Privacy, 1999, pp.133–145 108
N. Ye, X. Li, Q. Chen, S.M. Emran, and M. Xu, “Probabilistic techniques for intrusion detection based on computer audit data”, IEEE Trans. on Systems, Man, and Cybernetics-Part A: Systems and Humans, vol.31, No.4, July 2001, pp.266–274 107, 108
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jin, H., Sun, J., Chen, H., Han, Z. (2003). A Risk-Sensitive Intrusion Detection Model. In: Lee, P.J., Lim, C.H. (eds) Information Security and Cryptology — ICISC 2002. ICISC 2002. Lecture Notes in Computer Science, vol 2587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36552-4_8
Download citation
DOI: https://doi.org/10.1007/3-540-36552-4_8
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00716-6
Online ISBN: 978-3-540-36552-5
eBook Packages: Springer Book Archive