Abstract
Existing approaches to characterizing intrusion detection systems focus on performance under test conditions. While it is well-understood that operational conditions may differ from test conditions, little attention has been paid to the question of assessing the effect on IDS results of parameter estimation errors resulting from these differences. In this paper we consider this question in the context of multi-step attacks. We derive simulated distributions of the posterior probability of exploit given the observation of a series of alerts and bounds on the posterior uncertainty given a particular distribution of the model parameters. Knowledge of such bounds introduces the novel prospect of a confidence versus agility tradeoff in IDS administration. Such a tradeoff could give administrators flexibility in IDS configuration, allowing them to choose detection confidence at the price of detection latency, according to organizational priorities.
Original language | English (US) |
---|---|
Article number | 4721564 |
Pages (from-to) | 269-278 |
Number of pages | 10 |
Journal | Proceedings - Annual Computer Security Applications Conference, ACSAC |
DOIs | |
State | Published - 2008 |
Event | 24th Annual Computer Security Applications Conference, ACSAC 2008 - Anaheim, CA, United States Duration: Dec 8 2008 → Dec 12 2008 |
All Science Journal Classification (ASJC) codes
- Computer Networks and Communications
- Software
- Safety, Risk, Reliability and Quality