Team for Research in
Ubiquitous Secure Technology

Citation
Guofei Gu, Alvaro Cardenas, Wenke Lee. "Principled Reasoning and Practical Applications of Alert Fusion in Intrusion Detection Systems". ACM Symposium on Information, Computer and Communications Security (ASIACCS'08)., ACM, March, 2008.

Abstract
It is generally believed that by combining several diverse intrusion detectors (i.e., forming an IDS ensemble), we may achieve better performance. However, there has been very little work on analyzing the effectiveness of an IDS ensemble. In this paper, we study the following problem: how to make a good fusion decision on the alerts from multiple detectors in order to improve the final performance. We propose a decision-theoretic alert fusion technique based on the likelihood ratio test (LRT). We report our experience from empirical studies, and formally analyze its practical interpretation based on ROC curve analysis. Through theoretical reasoning and experiments using multiple IDSs on several data sets, we show that our technique is more flexible and also outperforms other existing fusion techniques such as AND, OR, majority voting, and weighted voting.

Electronic downloads

• http://www.eecs.berkeley.edu/~cardenas/Papers/ids_fusion_asiaccs08.pdf

• HTML

  Guofei Gu, Alvaro Cardenas, Wenke Lee. <a
  href="http://www.truststc.org/pubs/321.html"
  >Principled Reasoning and Practical Applications of Alert
  Fusion in Intrusion Detection Systems</a>, ACM
  Symposium on Information, Computer and Communications
  Security (ASIACCS'08)., ACM, March, 2008.

• Plain text

  Guofei Gu, Alvaro Cardenas, Wenke Lee. "Principled
  Reasoning and Practical Applications of Alert Fusion in
  Intrusion Detection Systems". ACM Symposium on
  Information, Computer and Communications Security
  (ASIACCS'08)., ACM, March, 2008.

• BibTeX

  @inproceedings{GuCardenasLee08_PrincipledReasoningPracticalApplicationsOfAlertFusion,
      author = {Guofei Gu and Alvaro Cardenas and Wenke Lee},
      title = {Principled Reasoning and Practical Applications of
                Alert Fusion in Intrusion Detection Systems},
      booktitle = {ACM Symposium on Information, Computer and
                Communications Security (ASIACCS'08).},
      organization = {ACM},
      month = {March},
      year = {2008},
      abstract = {It is generally believed that by combining several
                diverse intrusion detectors (i.e., forming an IDS
                ensemble), we may achieve better performance.
                However, there has been very little work on
                analyzing the effectiveness of an IDS ensemble. In
                this paper, we study the following problem: how to
                make a good fusion decision on the alerts from
                multiple detectors in order to improve the final
                performance. We propose a decision-theoretic alert
                fusion technique based on the likelihood ratio
                test (LRT). We report our experience from
                empirical studies, and formally analyze its
                practical interpretation based on ROC curve
                analysis. Through theoretical reasoning and
                experiments using multiple IDSs on several data
                sets, we show that our technique is more flexible
                and also outperforms other existing fusion
                techniques such as AND, OR, majority voting, and
                weighted voting.},
      URL = {http://www.truststc.org/pubs/321.html}
  }
  

Posted by Alvaro Cardenas on 13 Mar 2008.
Groups: trust
For additional information, see the Publications FAQ or contact webmaster at www truststc org.