The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Wenke Lee - Georgia Tech

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

Architectural Considerations for Anomaly Detection

Feb 09, 2005

Download: Video Icon MP4 Video Size: 122.7MB  
Watch on Youtube Watch on YouTube

Abstract

The most commonly used intrusion detection system (IDS) performance metrics are detection rate and false alarm rate. From a usability point of view, a very important measurement is Bayesian detection rate, which indicates how likely there is an intrusion when the IDS outputs an alert. It depends on detection rate, false alarm rate, and base rate (the prior probability of intrusion). Typically, an anomaly detection system has a low Bayesian detection rate because it has a non-zero false alarm rate and the base rate in the target environment is very low.

We argue that we need better system architecture to improve Bayesian detection rate. The main objective is to increase the base rate of data stream analyzed by complex detection modules. The general principle is to use layered architecture.

One approach is to use a cascade of successively more complex detection modules. We show that base rate increases from one layer to the next. In many cases, the overall false alarm rate of the cascade can be very low. We describe a worm detection system with cascade architecture. In DSC, the lower layer module identifies hosts with

About the Speaker




Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!