SYSTEM AND METHOD FOR OPERATING POINT AND BOX ENUMERATION FOR INTERVAL BAYESIAN DETECTION
First Claim
1. A method for selecting an operating point of an intrusion detection system comprising:
- determining a true positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values;
determining a false positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values;
calculating a ratio of the true positive rate to the false positive rate of the intrusion detection system at each possible vector of sensor output values;
sorting by the ratio of the true positive rate to the false positive rate;
placing the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; and
selecting a first operating point from the output set for operating the intrusion detection system.
1 Assignment
0 Petitions
Accused Products
Abstract
When using intrusion detection systems, security specialists are concerned with false positive rates and true positive rates. False positives are when an alert is raised, but no actual intrusion occurs. True positives are when an alert is raised for an actual intrusion. Ideally, true positive rate is 1 and false positive rate is zero, but such a situation is impossible in the real world. So one must balance a true positive rate and a false positive rate to produce the best result at the best price. One can simplify the choice of detection sets by, instead of determining each possible operating point of the information detection system, by only choosing operating points that are not dominated by other operating points.
5 Citations
19 Claims
-
1. A method for selecting an operating point of an intrusion detection system comprising:
-
determining a true positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values; determining a false positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values; calculating a ratio of the true positive rate to the false positive rate of the intrusion detection system at each possible vector of sensor output values; sorting by the ratio of the true positive rate to the false positive rate; placing the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; and selecting a first operating point from the output set for operating the intrusion detection system. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for selecting an operating point of an intrusion detection system comprising:
-
determining a range of true positive rates for each sensor within the intrusion detection system; determining a range of false positive rates for each sensor within the intrusion detection system; creating an operating box wherein each operating box comprises the range of true positive rates and the range of false positive rates for the intrusion detection system; selecting a point within the operating box; calculating the ratio of the true positive rate to the false positive rate of each selected point; sorting by the ratio of the true positive rate to the false positive rate; placing the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; and selecting a first operating point from the output set. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A machine-readable medium including instructions for selecting an operating point of an intrusion detection system, which when executed by a computing device, cause the computing device to:
-
determine the true positive rate for the intrusion detection system at each possible vector of sensor output values; determine the false positive rate for the intrusion detection system at each possible vector of sensor output values; calculate the ratio of the true positive rate to the false positive rate of the overall intrusion detection system at each possible vector of sensor output values; sort by the ratio of the true positive rate to the false positive rate; place the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; select a first operating point from the output set; and operate the intrusion detection system at the first operating point. - View Dependent Claims (12, 13, 14)
-
-
15. An intrusion detection system comprising:
-
a plurality of sensors, each of the plurality of sensors arranged to produce one of a plurality of a sensor output values; processing circuitry arranged to; determine a true positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values; determine a false positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values; calculate a ratio of the true positive rate to the false positive rate of the intrusion detection system at each possible vector of sensor output values; sort by the ratio of the true positive rate to the false positive rate; place the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; and select a first operating point from the output set for operating the intrusion detection system. - View Dependent Claims (16, 17, 18, 19)
-
Specification