Share Email Print

Proceedings Paper

Selection of intrusion detection system threshold bounds for effective sensor fusion
Author(s): Ciza Thomas; Narayanaswamy Balakrishnan
Format Member Price Non-Member Price
PDF $17.00 $21.00

Paper Abstract

The motivation behind the fusion of Intrusion Detection Systems was the realization that with the increasing traffic and increasing complexity of attacks, none of the present day stand-alone Intrusion Detection Systems can meet the high demand for a very high detection rate and an extremely low false positive rate. Multi-sensor fusion can be used to meet these requirements by a refinement of the combined response of different Intrusion Detection Systems. In this paper, we show the design technique of sensor fusion to best utilize the useful response from multiple sensors by an appropriate adjustment of the fusion threshold. The threshold is generally chosen according to the past experiences or by an expert system. In this paper, we show that the choice of threshold bounds according to the Chebyshev inequality priciple performs better. This approach also helps to solve the problem of scalability and has the advantage of failsafe capability. This paper theoretically models the fusion of Intrusion Detection Systems for the purpose of proving the improvement in performance, supplemented with the empirical evaluation. The combination of complementary sensors is shown to detect more attacks than the individual components. Since the individual sensors chosen detect sufficiently different attacks, their result can be merged for improved performance. The combination is done in different ways like (i) taking all the alarms from each system and avoiding duplications, (ii) taking alarms from each system by fixing threshold bounds, and (iii) rule-based fusion with a priori knowledge of the individual sensor performance. A number of evaluation metrics are used, and the results indicate that there is an overall enhancement in the performance of the combined detector using sensor fusion incorporating the threshold bounds and significantly better performance using simple rule-based fusion.

Paper Details

Date Published: 9 April 2007
PDF: 10 pages
Proc. SPIE 6570, Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2007, 657007 (9 April 2007); doi: 10.1117/12.719295
Show Author Affiliations
Ciza Thomas, Indian Institute of Science (India)
Narayanaswamy Balakrishnan, Indian Institute of Science (India)

Published in SPIE Proceedings Vol. 6570:
Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2007
Belur V. Dasarathy, Editor(s)

© SPIE. Terms of Use
Back to Top
Sign in to read the full article
Create a free SPIE account to get access to
premium articles and original research
Forgot your username?