skip to main content
10.1145/1167253.1167289acmconferencesArticle/Chapter ViewAbstractPublication Pagesacm-seConference Proceedingsconference-collections
Article

Alert confidence fusion in intrusion detection systems with extended Dempster-Shafer theory

Published: 18 March 2005 Publication History

Abstract

Accurate identification of misuse is a key factor in determining appropriate ways to protect systems. Modern intrusion detection systems often use alerts from different sources such as hosts and sub-networks to determine whether and how to respond to an attack. However, alerts from different locations should not be treated equally. We propose improving and assessing alert accuracy by incorporating an algorithm based on the exponentially weighted Dempster-Shafer (D-S) Theory of Evidence. Our approach uses D-S theory to combine beliefs in certain hypotheses under conditions of uncertainty and ignorance, and allows quantitative measurement of the belief and plausibility in our detection results. Our initial evaluations on the DARPA IDS evaluation data set show that our alert fusion algorithm can improve alert quality over those from Hidden Colored Petri-Net (HCPN) based alert correlation components installed at the demilitarized zone (DMZ) and inside network sites. Due to alert confidence fusion in our example, the detection rate rises from 75% to 93.8%, without adversely affecting the false positive rate.

References

[1]
J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner, State of the Practice of Intrusion Detection Technologies, Technical Report CMU/SEI-99-TR-028, 1999
[2]
J. P Anderson, Computer Security Threat Monitoring and Surveillance, Technical report, James P Anderson Co., Fort Washington, Pennsylvania, April 1980.
[3]
J. Burroughs, L. F. Wilson and George V. Analysis of Distributed Intrusion Detection Systems Using Bayesian Methods, presented at IPCCC 2002, April 2002.
[4]
T. Bass, Intrusion detection systems and multisensor data fusion, Communications of the ACM, v.43 n.4, p.99--105, April 2000
[5]
V. Berk, R. Gray, and G. Bakos, Using sensor networks and data fusion for early detection of active worms, Proc. of 2003 SPIE Aerosense Conference, Orlando, FL, April, 2003.
[6]
A. Berger, S. Della Pietra, & V. Della Pietra, A Maximum Entropy Approach to Natural Language Processing, Computational Linguistics, 22(1):39--71, 1996.
[7]
F. Cuppens, A. Miège, Alert Correlation in a Cooperative Intrusion Detection Framework, 2002 IEEE Symposium on Security and Privacy, May 12--15, 2002
[8]
J. N. Darroch, & D. Ratcliff, Generalized iterative scaling for log-linear models, The Annals of Mathematical Statistics, 43(5), 1470--1480, 1972.
[9]
D. Frincke, Balancing Cooperation and Risk in Intrusion Detection, ACM Transactions on Information and System Security (TISSEC) 3(1): 1--29 (2000).
[10]
D. L. Hall, Mathematical Techniques in Multisensor Data Fusion, Artech House, Inc., Norwood, MA, 1992
[11]
M.-Y. Huang, and T. M. Wicks, A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis, Web proceedings of the First International Workshop on Recent Advances in Intrusion Detection (RAID'98), 1998.
[12]
G. Jiang and G. Cybenko, Temporal and Spatial Distributed Event Correlation for Network Security, 2004 American Control Conference, Boston, June 30 - July 3.
[13]
J. Kohlas and P. Monney. Theory of evidence - a survey of its mathematical foundations, applications and computational analysis. ZOR- Mathematical Methods of Operations Research, 39:35--68, 1994.
[14]
P. Ning, Y. Cui, D. S. Reeves, Analyzing Intensive Intrusion Alerts Via Correlation, in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), LNCS 2516, pages 74--94, October 2002
[15]
R. Rosenfeld, A Maximum Entropy Approach to Adaptive Statistical Language Modeling, Computer, Speech, and Language, 10, 1996.
[16]
C. Siaterlis, and B. Maglaris, Towards multisensor data fusion for DoS detection, Proceedings of the 2004 ACM symposium on Applied computing, 2004.
[17]
G. Shafer. A Mathematical Theory of Evidence. Princeton University Press, Princeton, 1976.
[18]
H. Svensson and A. Jøsang, Correlation of Intrusion Alarms with Subjective Logic. In the proceedings of the sixth Nordic Workshop on Secure IT systems, Copenhagen, Denmark, 1--2 November, 2001
[19]
H. Wu, M. Siegel, R. Stiefelhagen, and J. Yang. Sensor fusion using Dempster-Shafer theory. In Proceedings of IEEE Instrumentation and Measurement Technology Conference, Anchorage, AK, USA, 2002.
[20]
D. Yu, D. Frincke, A Novel Framework for Alert Correlation and Understanding, Springer's LNCS series, vol 3089. International Conference on Applied Cryptography and Network Security (ACNS) 2004.
[21]
S. A. Yemini, S. Kliger, E. Mozes, Y. Yemini and D. Ohsie, High speed and robust event correlation, IEEE Communications Magazine, May, 1996.

Cited By

View all
  • (2021)Research Trends in Network-Based Intrusion Detection Systems: A ReviewIEEE Access10.1109/ACCESS.2021.31297759(157761-157779)Online publication date: 2021
  • (2020)Real-Time Inter-Vehicle Data Fusion Based on a New Metric for Evidence Distance in Autonomous Vehicle SystemsApplied Sciences10.3390/app1019683410:19(6834)Online publication date: 29-Sep-2020
  • (2018)Non-destructive test method of rock bolt based on D-S evidence and spectral kurtosisInternational Journal of Computer Applications in Technology10.1504/IJCAT.2018.09164057:2(167-176)Online publication date: 1-Jan-2018
  • Show More Cited By

Index Terms

  1. Alert confidence fusion in intrusion detection systems with extended Dempster-Shafer theory

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ACMSE '05 vol 2: Proceedings of the 43rd annual ACM Southeast Conference - Volume 2
    March 2005
    430 pages
    ISBN:1595930590
    DOI:10.1145/1167253
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 18 March 2005

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Dempster-Shafer theory of evidence
    2. alert confidence fusion
    3. alert correlation
    4. hidden colored Petri-Net
    5. intrusion detection system

    Qualifiers

    • Article

    Conference

    ACM SE05
    Sponsor:
    ACM SE05: ACM Southeast Regional Conference 2005
    March 18 - 20, 2005
    Georgia, Kennesaw

    Acceptance Rates

    Overall Acceptance Rate 502 of 1,023 submissions, 49%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)10
    • Downloads (Last 6 weeks)2
    Reflects downloads up to 20 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2021)Research Trends in Network-Based Intrusion Detection Systems: A ReviewIEEE Access10.1109/ACCESS.2021.31297759(157761-157779)Online publication date: 2021
    • (2020)Real-Time Inter-Vehicle Data Fusion Based on a New Metric for Evidence Distance in Autonomous Vehicle SystemsApplied Sciences10.3390/app1019683410:19(6834)Online publication date: 29-Sep-2020
    • (2018)Non-destructive test method of rock bolt based on D-S evidence and spectral kurtosisInternational Journal of Computer Applications in Technology10.1504/IJCAT.2018.09164057:2(167-176)Online publication date: 1-Jan-2018
    • (2017)Novice threat model using SIEM system for threat assessment2017 International Conference on Communication Technologies (ComTech)10.1109/COMTECH.2017.8065753(72-77)Online publication date: Apr-2017
    • (2016)Applying extensions of evidence theory to detect frauds in financial infrastructuresInternational Journal of Distributed Sensor Networks10.1155/2015/9806292015(212-212)Online publication date: 1-Jan-2016
    • (2015)A data fusion technique to detect wireless network virtual jamming attacks2015 IEEE International Workshop on Measurements & Networking (M&N)10.1109/IWMN.2015.7322978(1-6)Online publication date: Oct-2015
    • (2015)Anomaly-based intrusion detection of jamming attacks, local versus collaborative detectionWireless Communications & Mobile Computing10.1002/wcm.234115:2(276-294)Online publication date: 10-Feb-2015
    • (2014)Applying of network security situation awareness in smart substationsThe 2014 2nd International Conference on Systems and Informatics (ICSAI 2014)10.1109/ICSAI.2014.7009274(137-142)Online publication date: Nov-2014
    • (2014)Network security situation evaluation based on modified D-S evidence theoryWuhan University Journal of Natural Sciences10.1007/s11859-014-1033-119:5(409-416)Online publication date: 11-Sep-2014
    • (2013)An automatic and self-adaptive multi-layer data fusion system for WiFi attack detectionInternational Journal of Internet Technology and Secured Transactions10.1504/IJITST.2013.0582945:1(42-62)Online publication date: 1-Dec-2013
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media