Principled reasoning and practical applications of alert fusion in intrusion detection systems Conference Paper

abstract

• It is generally believed that by combining several diverse intrusion detectors (i.e., forming an IDS ensemble), we may achieve better performance. However, there has been very little work on analyzing the effectiveness of an IDS ensemble. In this paper, we study the following problem: how to make a good fusion decision on the alerts from multiple detectors in order to improve the final performance. We propose a decision-theoretic alert fusion technique based on the likelihood ratio test (LRT). We report our experience from empirical studies, and formally analyze its practical interpretation based on ROC curve analysis. Through theoretical reasoning and experiments using multiple IDSs on several data sets, we show that our technique is more flexible and also outperforms other existing fusion techniques such as AND, OR, majority voting, and weighted voting. Copyright 2008 ACM.

name of conference

• Proceedings of the 2008 ACM symposium on Information, computer and communications security

authors

• Gu, Guofei

published proceedings

• Proceedings of the 2008 ACM symposium on Information, computer and communications security

author list (cited authors)

• Gu, G., Crdenas, A. A., & Lee, W.

citation count

• 24

complete list of authors

• Gu, Guofei||Cárdenas, Alvaro A||Lee, Wenke

publication date

• January 2008

publisher

• Association for Computing Machinery (ACM)  Publisher

Digital Object Identifier (DOI)

• 10.1145/1368310.1368332

International Standard Book Number (ISBN) 13

• 9781595939791

start page

• 136

end page

• 147

URL

• http://dx.doi.org/10.1145/1368310.1368332