Architectural Considerations for Anomaly Detection

Feb 09, 2005

Download: MP4 Video Size: 122.7MB  
Watch on YouTube

Abstract

The most commonly used intrusion detection system (IDS) performance metrics are detection rate and false alarm rate. From a usability point of view, a very important measurement is Bayesian detection rate, which indicates how likely there is an intrusion when the IDS outputs an alert. It depends on detection rate, false alarm rate, and base rate (the prior probability of intrusion). Typically, an anomaly detection system has a low Bayesian detection rate because it has a non-zero false alarm rate and the base rate in the target environment is very low.

We argue that we need better system architecture to improve Bayesian detection rate. The main objective is to increase the base rate of data stream analyzed by complex detection modules. The general principle is to use layered architecture.

One approach is to use a cascade of successively more complex detection modules. We show that base rate increases from one layer to the next. In many cases, the overall false alarm rate of the cascade can be very low. We describe a worm detection system with cascade architecture. In DSC, the lower layer module identifies hosts with