The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection



Similar documents
CSC574 - Computer and Network Security Module: Intrusion Detection

CS Computer and Network Security: Intrusion Detection

CSCE 465 Computer & Network Security

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Performance Evaluation of Intrusion Detection Systems

The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

Network Based Intrusion Detection Using Honey pot Deception

Taxonomy of Intrusion Detection System

IDS for SAP. Application Based IDS Reporting in the ERP system SAP R/3

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Intrusion Detection Systems

Role of Anomaly IDS in Network

Observation and Findings

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Detecting Anomaly IDS in Network using Bayesian Network

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Second-generation (GenII) honeypots

Intrusion Detection Systems

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

CHAPTER 1 INTRODUCTION

IDS / IPS. James E. Thiel S.W.A.T.

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

Intrusion Detection for Mobile Ad Hoc Networks

Network Intrusion Detection Systems

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

CSE543 - Introduction to Computer and Network Security. Module: Final review

How To Prevent Network Attacks

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

SCADA Security Measures

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cyber Security and Insider Threat: Research and Challenges

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Web Application Security

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Speedy Signature Based Intrusion Detection System Using Finite State Machine and Hashing Techniques

Data Clustering for Anomaly Detection in Network Intrusion Detection

How To Prevent Hacker Attacks With Network Behavior Analysis

Data Security Incident Response Plan. [Insert Organization Name]

Intrusion Detection Systems

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

SURVEY OF INTRUSION DETECTION SYSTEM

How To Protect A Network From Attack From A Hacker (Hbss)

Security Event Management. February 7, 2007 (Revision 5)

SERVICE ORIENTED EVENT ASSESSMENT CLOSING THE GAP OF COMPLIANCE MANAGEMENT

Intrusion Detection Systems. (slides courtesy Prof. Stolfo)

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

IDS : Intrusion Detection System the Survey of Information Security

End-user Security Analytics Strengthens Protection with ArcSight

Intruders and viruses. 8: Network Security 8-1

Beyond Detection: Neutralizing Attacks Before They Reach the Firewall

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

How To Protect Your Network From Attack

Student Tech Security Training. ITS Security Office

CNA 432/532 OSI Layers Security

Security Intrusion & Detection. Intrusion Detection Systems (IDSs)

CA Host-Based Intrusion Prevention System r8.1

Network- vs. Host-based Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

Name. Description. Rationale

Intrusion Detection Systems

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Application Intrusion Detection

INTRUSION DETECTION SYSTEMS and Network Security

PROFESSIONAL SECURITY SYSTEMS

Chapter-3 Intruder Detection and Intruder Identification

Overcoming PCI Compliance Challenges

Network-Based and Host- Based Intrusion Detection. Harley Kozushko. Graduate Seminar

Network Security Policy

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

An Evaluation of Machine Learning Method for Intrusion Detection System Using LOF on Jubatus

Transcription:

The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection Stefan Axelsson Presented by Kiran Kashalkar

Agenda 1. 1. General Overview of of IDS 2. 2. Bayes Theorem and Base-Rate Fallacy 3. 3. Base-Rate Fallacy in in Intrusion Detection 4. 4. Impact on on Intrusion Detection Systems 5. 5. Conclusion

Intrusion Detection Systems Organization of of a generalized IDS Intends to detect security violations from: Outsiders using prepacked exploit scripts Impersonators (outsiders as well as insiders) Insiders abusing legitimate privileges Fundamental questions: Effectiveness, Efficiency, Ease of use, Security, Inter-Operability, Transparency This paper focuses on Effectiveness

Intrusion Detection Systems (cont d) Few anti-intrusion techniques: Prevention e.g. don t connect to the internet Preemption strike against threat before attack is mounted Deterrence increase perceived risk of negative consequences for the attacker Deflection e.g. use of honeypots Detection detect anomalies and notify authority to initiate proper response Countermeasures actively and autonomously counter intrusions as they are attempted

Types of Intrusion Detection Strategies Broadly classified into: Anomaly detection System reacts to deviations of subject behavior from normal behavior Normal subject behavior is updated as new knowledge about subject behavior becomes known Policy detection (Misuse detection) System tries to find evidence that matches known signatures of intrusive or suspect behavior (signature-based detection) System flags every action deviating from known signatures of benign behavior (specification-based detection)

Bayes Theorem and Base-Rate Fallacy Given: P: Person tests positive for a disease S: The person is sick P(P S)=0.99 and P( P S)=0.99 A person tested positive Only 1 in 10000 people have this ailment Rate of incidence P(S) Find the probability that the person is infected with that disease P(S P) works out to be only about 1% Fallacy: Humans don t consider base rate when intuitively solving such problems of probability U 1) P & S P 2) P & S P(S P) = P(P S)P(S) P(P S)P(S) + P(P S)P( S) = 1/10000 0.99 1/10000 0.99 + (1-1/10000) 0.01 = 0.00980 1% S 3) P & S 4) P & S

Base-Rate Fallacy in Intrusion Detection Assumptions in the hypothesized system: Few tens of workstations running UNIX Few servers running UNIX Couple of dozen users Capable of generating 1,000,000 audit records per day (with C2 compliant logging) Single site security officer (SSO) 10 audit records affected in the average intrusion 2 intrusions per day => 20 records per 1,000,000 account to actual intrusions

Base-Rate Fallacy in Intrusion Detection (cont d) Calculation of Bayesian detection rates I: Intrusive behavior A: Presence of an intrusion alarm With the assumptions, we have: P(I) = 2 10-5 ; P( I) = 1 P(I) = 0.99998 Detection rate or True positive rate: P(A I) False alarm rate: P(A I) False negative rate: P( A I) = 1 - P(A I) True negative rate: P( A I) = 1 - P(A I) Maximize P(I A): Bayesian detection rate P( I A)

Base-Rate Fallacy in Intrusion Detection (cont d) P(I A) = P(I)P(A I) P(I) P(A I) + P( I) P(A I) = 2 10-5 P(A I) 2 10-5 P(A I) + 0.99998 P(A I) Thus, factor governing detection rate is completely dominated by factor governing false alarm rate Desired maximum at P(A I) = 1 and P(A I) = 0 Is this achievable in practice? NOT REALLY

Base-Rate Fallacy in Intrusion Detection (cont d) For P(A I)=1, P(A I)=1 10-5, we get P(I A) as 0.66 For P(A I)=0.7, P(A I)=1 10-5, we get P(I A) as 0.58 => Even for large detection rate, viz. P(A I), Bayesian detection rate is dominated by the factor of false alarm rate, viz. factor of P(A I) => Even if n(i A) were low, P(I A) close to 50% will induce SSO to ignore all (or most) of the alarms generated

Impact on Intrusion Detection Systems Comparison of reported results with the established requirements on the effectiveness of intrusion detection systems Plot of detection rate vs. false alarm rate ROC curve analysis of the results re-establishes that detection and false alarm rates are linked Studies roughly divided into 2 classes: With larger false rate values (anomaly-based detection methods) With smaller false rate values closer to the requirements (misuse-based detection methods)

Future Work and Conclusions Limitations of this paper: Use of subjective probabilities in calculations Treats intrusion detection as a binary problem Does not consider SSO behavior in entire correctness Conclusions: Intrusion detection is difficult in real world The effectiveness of an intrusion detection system depends not on its ability to detect intrusive behavior but on its ability to suppress false alarms Comparison shows anomaly-based detection methods have larger false alarm rates than misusebased detection, but misuse-based detection methods cannot provide protection against novel intrusions

References S. Axelsson. Research in Intrusion Detection Systems: A Survey http://www.acm.org/crossroads/xrds2-4/intrus.html Lawrence R. Halme and R. Kenneth Bauer. AINT Misbehaving: A Taxonomy of Anti-Intrusion Techniques

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information