Team for Research in
Ubiquitous Secure Technology

Principled Reasoning and Practical Applications of Alert Fusion in Intrusion Detection Systems
Guofei Gu, Alvaro Cardenas, Wenke Lee

Citation
Guofei Gu, Alvaro Cardenas, Wenke Lee. "Principled Reasoning and Practical Applications of Alert Fusion in Intrusion Detection Systems". ACM Symposium on Information, Computer and Communications Security (ASIACCS'08)., ACM, March, 2008.

Abstract
It is generally believed that by combining several diverse intrusion detectors (i.e., forming an IDS ensemble), we may achieve better performance. However, there has been very little work on analyzing the effectiveness of an IDS ensemble. In this paper, we study the following problem: how to make a good fusion decision on the alerts from multiple detectors in order to improve the final performance. We propose a decision-theoretic alert fusion technique based on the likelihood ratio test (LRT). We report our experience from empirical studies, and formally analyze its practical interpretation based on ROC curve analysis. Through theoretical reasoning and experiments using multiple IDSs on several data sets, we show that our technique is more flexible and also outperforms other existing fusion techniques such as AND, OR, majority voting, and weighted voting.

Electronic downloads

Citation formats  
  • HTML
    Guofei Gu, Alvaro Cardenas, Wenke Lee. <a
    href="http://www.truststc.org/pubs/321.html"
    >Principled Reasoning and Practical Applications of Alert
    Fusion in Intrusion Detection Systems</a>, ACM
    Symposium on Information, Computer and Communications
    Security (ASIACCS'08)., ACM, March, 2008.
  • Plain text
    Guofei Gu, Alvaro Cardenas, Wenke Lee. "Principled
    Reasoning and Practical Applications of Alert Fusion in
    Intrusion Detection Systems". ACM Symposium on
    Information, Computer and Communications Security
    (ASIACCS'08)., ACM, March, 2008.
  • BibTeX
    @inproceedings{GuCardenasLee08_PrincipledReasoningPracticalApplicationsOfAlertFusion,
        author = {Guofei Gu and Alvaro Cardenas and Wenke Lee},
        title = {Principled Reasoning and Practical Applications of
                  Alert Fusion in Intrusion Detection Systems},
        booktitle = {ACM Symposium on Information, Computer and
                  Communications Security (ASIACCS'08).},
        organization = {ACM},
        month = {March},
        year = {2008},
        abstract = {It is generally believed that by combining several
                  diverse intrusion detectors (i.e., forming an IDS
                  ensemble), we may achieve better performance.
                  However, there has been very little work on
                  analyzing the effectiveness of an IDS ensemble. In
                  this paper, we study the following problem: how to
                  make a good fusion decision on the alerts from
                  multiple detectors in order to improve the final
                  performance. We propose a decision-theoretic alert
                  fusion technique based on the likelihood ratio
                  test (LRT). We report our experience from
                  empirical studies, and formally analyze its
                  practical interpretation based on ROC curve
                  analysis. Through theoretical reasoning and
                  experiments using multiple IDSs on several data
                  sets, we show that our technique is more flexible
                  and also outperforms other existing fusion
                  techniques such as AND, OR, majority voting, and
                  weighted voting.},
        URL = {http://www.truststc.org/pubs/321.html}
    }
    

Posted by Alvaro Cardenas on 13 Mar 2008.
Groups: trust
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.