Selection of intrusion detection system threshold bounds for effective sensor fusion Ciza Thomas,
∗
Narayanaswamy Balakrishnan
Supercomputer Education and Research Centre, Indian Institute of Science, Bangalore, India-560 012
abstract The motivation behind the fusion of Intrusion Detection Systems was the realization that with the increasing traffic and increasing complexity of attacks, none of the present day stand-alone Intrusion Detection Systems can meet the high demand for a very high detection rate and an extremely low false positive rate. Multi-sensor fusion can be used to meet these requirements by a refinement of the combined response of different Intrusion Detection Systems. In this paper, we show the design technique of sensor fusion to best utilize the useful response from multiple sensors by an appropriate adjustment of the fusion threshold. The threshold is generally chosen according to the past experiences or by an expert system. In this paper, we show that the choice of the threshold bounds according to the Chebyshev inequality principle performs better. This approach also helps to solve the problem of scalability and has the advantage of failsafe capability. This paper theoretically models the fusion of Intrusion Detection Systems for the purpose of proving the improvement in performance, supplemented with the empirical evaluation. The combination of complementary sensors is shown to detect more attacks than the individual components. Since the individual sensors chosen detect sufficiently different attacks, their result can be merged for improved performance. The combination is done in different ways like (i) taking all the alarms from each system and avoiding duplications, (ii) taking alarms from each system by fixing threshold bounds, and (iii) rule-based fusion with a priori knowledge of the individual sensor performance. A number of evaluation metrics are used, and the results indicate that there is an overall enhancement in the performance of the combined detector using sensor fusion incorporating the threshold bounds and significantly better performance using simple rule-based fusion. Keywords: Intrusion Detection Systems (IDS), Anomaly-based IDS, True Positive (TP), True Negative (TN), False Positive (FP), False Negative (FN), Sensor Fusion, Chebyshev Inequality
1. introduction IDS gathers information from within a computer or a network, and analyzes this information to identify possible security breaches against the system or the network. For the detection of external intrusion activities, if there are multiple paths to the Internet, an IDS needs to be present at every entry point, whereas for the detection of internal intrusion activities, an IDS is required in every network segment. Sensor Fusion can be defined as the process of collecting information from multiple and possibly heterogeneous sources and combining them to obtain a more descriptive, intuitive and meaningful result1 . The fusion technique works well in the case of sensors having some extent of similarity between them. Hence we have concentrated in this work on the anomaly-based sensors which detect anomalies beyond a set threshold level in the features it detects. Threshold bounds instead of a single threshold give more freedom in steering system properties. Any threshold within the bounds can be chosen depending on the preferred level of trade-off ∗
[email protected];
phone 91 80 2293 2896; fax 91 80 2293 3438
between detection and specifications. Fusion threshold bounds are derived using Chebyshev inequality at the fusion center using the IDS false positive rates and detection rates. The goal is to achieve best fusion performance with the least amount of model knowledge in a computationally inexpensive way. An experimental Packet Header Anomaly Detector (PHAD)2 that monitors the 33 fields of the Ethernet, TCP, UDP and ICMP protocols is chosen as one of the sensors for the combination. Observing the header fields makes it efficient to detect Probes and DoS attacks. The second sensor chosen is Application Layer Anomaly Detector (ALAD)3 and it complements PHAD in detection by monitoring incoming TCP connections to wellknown server ports. ALAD has six attributes for detection namely source IP address, destination IP address, destination port, TCP flags, application keywords and the application argument. It detects the R2L attack with high detection rate since R2L attack normally exploits the application layer. All the related work in the field of sensor fusion has been carried out mainly with one of the methods like probability theory, evidence theory, voting fusion theory, fuzzy logic theory or neural network to aggregate information. The Bayesian theory is the classical method for statistical inference problems. The fusion rule is expressed for a system of independent learners, with the distribution of hypotheses known a priori. The Dempster-Shafer decision theory is considered a generalized Bayesian theory. It does not require a priori knowledge or probability distribution on the possible system states like the Bayesian approach and it is mostly useful when we do not have a model of our system4 . In addition it also incorporates heterogeneous, expert knowledge into the system. Neural Networks have been used to aggregate information by a non-linear transformation of the input vector. Neural Network is used in cases where the input-output relation is unknown and also when the computational requirement is more due to large amount of data.
2. motivation of sensor fusion in intrusion detection systems Even though sensor fusion is not expected to improve the currently available IDSs, it is clear from all the previous works in sensor fusion that there occur more effective means of analyzing the information provided by existing IDSs, thereby causing an effective data refinement for knowledge recovery. By using the concept of sensor fusion techniques, better overall sensor detection rate and lower false positive rate can be achieved. An attempt to prove the distinct advantages of sensor fusion over individual IDSs is done in this paper using the Chebyshev inequality as an extension to the work done by Zhu et al.5 .
3. modeling the fusion ids by defining proper threshold bounds5 Every IDS participating in the fusion has its own detection rate Di , and false positive rate Fi , due to the preferred heterogeneity of the sensors in the fusion process. Each IDS i gives an alert or no-alert indicated by Si taking a value one or zero respectively. The fusion center collects these local decisions and forms a binomial distribution N X S as given by S= Si , where N is the total number of IDSs taking part in the fusion. i=1
Let D and F denote the unanimous detection rate and the false positive rate respectively. The mean and variance of S in case of attack and no-attack, are given by the following equations: E[S|alert] = E[S|alert] =
PN i=1
PN i=1
Di , Fi ,
V ar[S|alert] = V ar[S|alert] =
N X i=1 N X i=1
Di (1 − Di );
Fi (1 − Fi );
in case of attack in case of no-attack
The fusion IDS is required to give a high detection rate and a low false positive rate. Hence the threshold T needs to be chosen well above the mean of the false alerts and well below the mean of the true alerts. Consequently, the threshold bounds are given as: PN i=1
Fi < T
Di2
i=1 N X
(1) Di
i=1
and N X (1 − Fi )Fi
F
