國立高雄大學圖資館 |

Language: English

Back

Loss-sensitive decision rules for in...

University of Pennsylvania.

Loss-sensitive decision rules for intrusion detection and response.

Record Type:	Electronic resources : Monograph/item
Title/Author:	Loss-sensitive decision rules for intrusion detection and response.
Author:	Wang, Jia.
Description:	178 p.
Notes:	Source: Dissertation Abstracts International, Volume: 65-06, Section: B, page: 3010.
Notes:	Supervisors: Insup Lee; Linda Zhao.
Contained By:	Dissertation Abstracts International65-06B.
Subject:	Computer Science.
Online resource:	http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=3138087
ISBN:	0496852574

Loss-sensitive decision rules for intrusion detection and response.
Wang, Jia.

Loss-sensitive decision rules for intrusion detection and response. - 178 p.

Source: Dissertation Abstracts International, Volume: 65-06, Section: B, page: 3010.

Thesis (Ph.D.)--University of Pennsylvania, 2004.

The goal of the dissertation is to improve alert accuracy and to develop decision rules for alert response while minimizing risks brought by online attacks. The dissertation mainly consists of three parts: (1) We propose a general scheme based on supervised machine learning techniques that can be used to estimate the posterior probability of alerts, as required by decision rule methodology. In addition, the scheme brings alert information from disparate sources together to achieve higher accuracy. Although we only focus on combining misuse and anomaly alert information from ID systems in our study, it should not be difficult to extend the scheme to include alerts from other security devices, firewalls, VPNs or auditing tools. The scheme also makes anomaly ID systems more useful by providing contextual information to anomaly alerts to lower the cost of alert handling. (2) We define loss in each attack category through user-specific asset value levels of the target systems on the aspects of confidentiality, integrity and availability together with the attack impact levels on the same three aspects. Based on the definition of loss functions and the estimation of posterior probability, we present the decision rule methodology for alert response to minimize the risks brought by online attacks. Since there is no way to eliminate false positives completely, decision rules help us to cope with them by taking the responsive action with minimal risk. (3) To evaluate the effectiveness of the proposed scheme, we carry out experiments using realistic attack traces. Since there are no widely available attack traces with good attack coverage and adequate numbers of attack instances, we generate realistic attack traces through the selection of typical attacks and the design of attack scenarios that reflect the real world. A representative combination of attacks is selected according to their typical attacking methods and the frequencies of their presence on the Internet. Outside experts with intensive hacking knowledge were invited to define hackers' behavior in the 5 days' simulation period based on empirical analysis of hacker personalities. The overall attack scenario consists of multiple interleaved simultaneous hacking activities. The result of our data analysis demonstrates the decision rule methodology and shows how accuracy of alerts is improved by combining disparate alerts.

ISBN: 0496852574Subjects--Topical Terms:

212513
Computer Science.

Loss-sensitive decision rules for intrusion detection and response.
LDR:03803nmm _2200301 _450 001 162796
005 20051017073524.5
008 090528s2004 eng d
020 $a 0496852574
035 $a 00149297
040 $a UnM $c UnM
100 0 $a Wang, Jia. $3 227940
245 1 0 $a Loss-sensitive decision rules for intrusion detection and response.
300 $a 178 p.
500 $a Source: Dissertation Abstracts International, Volume: 65-06, Section: B, page: 3010.
500 $a Supervisors: Insup Lee; Linda Zhao.
502 $a Thesis (Ph.D.)--University of Pennsylvania, 2004.
520 # $a The goal of the dissertation is to improve alert accuracy and to develop decision rules for alert response while minimizing risks brought by online attacks. The dissertation mainly consists of three parts: (1) We propose a general scheme based on supervised machine learning techniques that can be used to estimate the posterior probability of alerts, as required by decision rule methodology. In addition, the scheme brings alert information from disparate sources together to achieve higher accuracy. Although we only focus on combining misuse and anomaly alert information from ID systems in our study, it should not be difficult to extend the scheme to include alerts from other security devices, firewalls, VPNs or auditing tools. The scheme also makes anomaly ID systems more useful by providing contextual information to anomaly alerts to lower the cost of alert handling. (2) We define loss in each attack category through user-specific asset value levels of the target systems on the aspects of confidentiality, integrity and availability together with the attack impact levels on the same three aspects. Based on the definition of loss functions and the estimation of posterior probability, we present the decision rule methodology for alert response to minimize the risks brought by online attacks. Since there is no way to eliminate false positives completely, decision rules help us to cope with them by taking the responsive action with minimal risk. (3) To evaluate the effectiveness of the proposed scheme, we carry out experiments using realistic attack traces. Since there are no widely available attack traces with good attack coverage and adequate numbers of attack instances, we generate realistic attack traces through the selection of typical attacks and the design of attack scenarios that reflect the real world. A representative combination of attacks is selected according to their typical attacking methods and the frequencies of their presence on the Internet. Outside experts with intensive hacking knowledge were invited to define hackers' behavior in the 5 days' simulation period based on empirical analysis of hacker personalities. The overall attack scenario consists of multiple interleaved simultaneous hacking activities. The result of our data analysis demonstrates the decision rule methodology and shows how accuracy of alerts is improved by combining disparate alerts.
520 # $a When large numbers of alerts are reported by intrusion detection (ID) systems in very fine granularity, it prevents system administrators from handling the alerts effectively. This in turn degrades the usability of an intrusion detection system. Aside from detection, timely responses of intrusions are also critical to lower the risks brought by online attacks.
590 $a School code: 0175.
650 # 0 $a Computer Science. $3 212513
650 # 0 $a Statistics. $3 182057
650 # 0 $a Artificial Intelligence. $3 212515
690 $a 0463
690 $a 0800
690 $a 0984
710 0 # $a University of Pennsylvania. $3 212781
773 0 # $g 65-06B. $t Dissertation Abstracts International
790 $a 0175
790 1 0 $a Lee, Insup, $e advisor
790 1 0 $a Zhao, Linda, $e advisor
791 $a Ph.D.
792 $a 2004
856 4 0 $u http://libsw.nuk.edu.tw:81/login?url=http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=3138087 $z http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=3138087