Principled reasoning and practical applications of alert fusion in intrusion detection systems Conference Paper uri icon


  • It is generally believed that by combining several diverse intrusion detectors (i.e., forming an IDS ensemble), we may achieve better performance. However, there has been very little work on analyzing the effectiveness of an IDS ensemble. In this paper, we study the following problem: how to make a good fusion decision on the alerts from multiple detectors in order to improve the final performance. We propose a decision-theoretic alert fusion technique based on the likelihood ratio test (LRT). We report our experience from empirical studies, and formally analyze its practical interpretation based on ROC curve analysis. Through theoretical reasoning and experiments using multiple IDSs on several data sets, we show that our technique is more flexible and also outperforms other existing fusion techniques such as AND, OR, majority voting, and weighted voting. Copyright 2008 ACM.

name of conference

  • the 2008 ACM symposium

published proceedings

  • Proceedings of the 2008 ACM symposium on Information, computer and communications security - ASIACCS '08

author list (cited authors)

  • Gu, G., Crdenas, A. A., & Lee, W.

citation count

  • 21

complete list of authors

  • Gu, Guofei||C├írdenas, Alvaro A||Lee, Wenke

publication date

  • January 2008