Abstract
Intrusion detection systems (IDSs) have been widely used to overcome security threats in computer networks. Anomaly-based approaches have the advantage of being able to detect previously unknown attacks, but they suffer from the difficulty of building robust models of acceptable behaviour which may result in a large number of false alarms caused by incorrect classification of events in current systems. We propose a new approach of an anomaly Intrusion detection system (IDS). It consists of building a reference behaviour model and the use of a Bayesian classification procedure associated to unsupervised learning algorithm to evaluate the deviation between current and reference behaviour. Continuous re-estimation of model parameters allows for real time operation. The use of recursive Log-likelihood and entropy estimation as a measure for monitoring model degradation related with behavior changes and the associated model update show that the accuracy of the event classification process is significantly improved using our proposed approach for reducing the missing- alarm.
Highlights
Intrusion detection can be defined as the process of identifying malicious behavior that targets a network and its resources
We have identified two main problems that contribute to the large number of false positives
In the particular case of Gaussian mixture models (GMM), e.g. mixture model with Gaussian kernel functions, which is used in our experiments presented further, the Eq (1) should be rewritten replacing the taking the mean of HK over all observed data (Eq (10)): nK
Summary
Intrusion detection can be defined as the process of identifying malicious behavior that targets a network and its resources. Signature-based systems have the advantage that they usually generate few false positives (i.e., incorrectly flagging an event as malicious when it is legitimate). They can only detect those attacks that have been previously specified. They cannot detect intrusions for which they do not have a predefined signature Anomaly-based techniques follow an approach that is complementary with respect to misuse detection These approaches rely on models, or profiles, of the normal behaviour of users, applications and network traffic. The advantage of being able to detect previously unknown attacks is usually paid for in terms of a large number of false positives. The second problem of anomaly-based systems is that they cannot distinguish between anomalous behavior caused by unusual but legitimate actions and activity that is the manifestation of an attack
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
