Method and system for adaptive anomaly-based intrusion detection
First Claim
2-1. Method of claim 1, wherein the prediction model is quantified using statistical and information theoretic measures.
1 Assignment
0 Petitions
Accused Products
Abstract
The input characteristics of a real-time IDS change continuously with time therefore setting a rigid (time and behavior invariant) classification threshold limits the accuracy that the IDS can potentially achieve. A generic threshold tuning method and system is proposed which can adaptively tune the detection threshold of a real-time IDS in accordance with varying host and network behavior. The method and system perform statistical and information-theoretic analyses of network and host-based IDSs'"'"' anomaly based intrusions to reveal a consistent time correlation structure between benign activity periods which is used to predict future anomaly scores and to adapt an IDS'"'"' detection threshold accordingly.
77 Citations
18 Claims
-
2-1. Method of claim 1, wherein the prediction model is quantified using statistical and information theoretic measures.
-
3-2. Method of claim 1, wherein the statistical and information theoretic measures are the autocorrelation and conditional entropy, respectively.
-
6. A computer implemented method for automatic threshold tuning of an intrusion detection system, the method comprising:
-
a) tracking the output anomaly score of an anomaly detection system (ADS) using a stochastic prediction model; b) to predict expected values of future anomaly scores; c) adjusting the subsequent adaptive classification threshold based on the prediction. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A system for real time intrusion detection, the system comprising:
-
a) a prediction module to predict expected values of future anomaly scores under benign conditions; b) an adaptation module that uses the prediction to set an adaptive threshold as a function of predicted score; and c) a classification module that uses the adaptive threshold to classify unknown observations as possible intrusions. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification