APPARATUS AND METHOD FOR IMPROVING DETECTION PERFORMANCE OF INTRUSION DETECTION SYSTEM
First Claim
1. An apparatus for improving detection performance of an intrusion detection system, comprising:
- a transformed detected data generation unit for changing pieces of original detected data, detected based on current detection rules, to pieces of transformed detected data complying with a transformed detected data standard;
a transformed detected data classification unit for classifying the pieces of transformed detected data by attack type, classifying pieces of transformed detected data for respective attack types by current detection rule, and classifying pieces of transformed detected data for respective detection rules into true positives/false positives;
a transformed keyword tree generation unit for generating a true positive transformed keyword tree and a false positive transformed keyword tree, based on results of classification by the transformed detected data classification unit;
a true positive path identification unit for generating a true positive node by comparing the true positive transformed keyword tree with the false positive transformed keyword tree, and for identifying a true positive path connecting a base node to the true positive node in the true positive transformed keyword tree; and
a true positive detection pattern generation unit for generating a true positive detection pattern based on the identified true positive path.
2 Assignments
0 Petitions
Accused Products
Abstract
An apparatus for improving detection performance of an intrusion detection system includes a transformed detected data generation unit for changing original detected data, detected based on current detection rules, to transformed detected data complying with transformed detected data standard. A transformed detected data classification unit classifies the transformed detected data by attack type, classifies transformed detected data for attack types by current detection rule, and classifies transformed detected data for detection rules into true positives/false positives. A transformed keyword tree generation unit generates a true positive transformed keyword tree and a false positive transformed keyword tree. A true positive path identification unit generates a true positive node, and identifies a true positive path connecting a base node to the true positive node in the true positive transformed keyword tree. A true positive detection pattern generation unit generates a true positive detection pattern based on the true positive path.
-
Citations
16 Claims
-
1. An apparatus for improving detection performance of an intrusion detection system, comprising:
-
a transformed detected data generation unit for changing pieces of original detected data, detected based on current detection rules, to pieces of transformed detected data complying with a transformed detected data standard; a transformed detected data classification unit for classifying the pieces of transformed detected data by attack type, classifying pieces of transformed detected data for respective attack types by current detection rule, and classifying pieces of transformed detected data for respective detection rules into true positives/false positives; a transformed keyword tree generation unit for generating a true positive transformed keyword tree and a false positive transformed keyword tree, based on results of classification by the transformed detected data classification unit; a true positive path identification unit for generating a true positive node by comparing the true positive transformed keyword tree with the false positive transformed keyword tree, and for identifying a true positive path connecting a base node to the true positive node in the true positive transformed keyword tree; and a true positive detection pattern generation unit for generating a true positive detection pattern based on the identified true positive path. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for improving detection performance of an intrusion detection system, comprising:
-
changing, by a transformed detected data generation unit, changing pieces of original detected data, detected based on current detection rules, to pieces of transformed detected data complying with a transformed detected data standard; classifying, by a transformed detected data classification unit, the pieces of transformed detected data by attack type, classifying, by the transformed detected data classification unit, pieces of transformed detected data for respective attack types by current detection rule, and classifying, by the transformed detected data classification unit, pieces of transformed detected data for respective detection rules into true positives/false positives; generating, by a transformed keyword tree generation unit, a true positive transformed keyword tree and a false positive transformed keyword tree, based on results of the classification; generating, by a true positive path identification unit, a true positive node by comparing the true positive transformed keyword tree with the false positive transformed keyword tree, and identifying, by the true positive path identification unit, a true positive path connecting a base node to the true positive node in the true positive transformed keyword tree; and generating, by a true positive detection pattern generation unit, a true positive detection pattern based on the identified true positive path. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification