Method and system for adaptive anomaly-based intrusion detection

US 20110185422A1
Filed: 01/22/2010
Published: 07/28/2011
Est. Priority Date: 01/22/2010
Status: Active Grant

First Claim

Patent Images

2-1. Method of claim 1, wherein the prediction model is quantified using statistical and information theoretic measures.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The input characteristics of a real-time IDS change continuously with time therefore setting a rigid (time and behavior invariant) classification threshold limits the accuracy that the IDS can potentially achieve. A generic threshold tuning method and system is proposed which can adaptively tune the detection threshold of a real-time IDS in accordance with varying host and network behavior. The method and system perform statistical and information-theoretic analyses of network and host-based IDSs'"'"' anomaly based intrusions to reveal a consistent time correlation structure between benign activity periods which is used to predict future anomaly scores and to adapt an IDS'"'"' detection threshold accordingly.

77 Citations

View as Search Results

18 Claims

2-1. Method of claim 1, wherein the prediction model is quantified using statistical and information theoretic measures.

3-2. Method of claim 1, wherein the statistical and information theoretic measures are the autocorrelation and conditional entropy, respectively.

6. A computer implemented method for automatic threshold tuning of an intrusion detection system, the method comprising:
- a) tracking the output anomaly score of an anomaly detection system (ADS) using a stochastic prediction model;
  
  b) to predict expected values of future anomaly scores;
  
  c) adjusting the subsequent adaptive classification threshold based on the prediction.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. Method of claim 6, wherein the real time anomaly scores exhibit a decaying temporal dependence.
  - 8. Method of claim 6, wherein the stochastic prediction model is a Markov Chain, a Kalman filter or a Holt-Winters predictor.
  - 9. Method of claim 6, further comprises predicting future anomaly scores using a few previous scores.
  - 10. Method of claim 6, wherein the predicted anomaly scores are used to threshold future scores for unknown real time measurements.
  - 11. Method of claim 6, wherein the subsequent adaptive thresholds are set in accordance with varying input characteristics.

12. A system for real time intrusion detection, the system comprising:
- a) a prediction module to predict expected values of future anomaly scores under benign conditions;
  
  b) an adaptation module that uses the prediction to set an adaptive threshold as a function of predicted score; and
  
  c) a classification module that uses the adaptive threshold to classify unknown observations as possible intrusions.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. System of claim 12, wherein the prediction module is a Markov Chain, a Kalman filter or a Holt-Winters predictor.
  - 14. System of claim 12, wherein anomaly scores in the prediction module exhibit a decaying temporal dependence.
  - 15. System of claim 12, wherein statistical and information theoretic measures are used to quantify the output of prediction module.
  - 16. System of claim 12, wherein the statistical and information theoretic measure in the prediction module are autocorrelation and conditional entropy, respectively.
  - 17. System of claim 12, wherein the adaptation module uses predicted scores to threshold future scores in accordance with varying input characteristic.
  - 18. System of claim 12, wherein the unknown observations are classified as intrusions by comparing the anomaly scores of unknown observations with the predicted threshold in the said classification module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
School of Electrical Engineering and Automation Tianjin University
Original Assignee
National University of Sciences and Technology, The School of Electrical Engineering & Computer Science National University of Sciences
Inventors
Khayam, Syed Ali, Ali, Muhammad Qasim

Granted Patent

US 8,800,036 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Method and system for adaptive anomaly-based intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

77 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for adaptive anomaly-based intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links