Methods for cost-sensitive modeling for intrusion detection and response
First Claim
1. A method of modeling a cost-sensitive intrusion detection model, comprising:
- (a) generating a training set of data suitable as input for machine learning, said training set of data comprising a set of features having associated costs;
(b) automatically determining, using a computer programmed to do so, at least one model based on said training set of data using machine learning;
(c) for each of a plurality of events, computing, using a computer programmed to do so, said set of features and predicting a class of said event using said at least one model;
(d) determining a response cost to be incurred by a computer system in responding to an event predicted as an intrusion in (c), wherein said response cost is estimated based upon the resources of the computer system to be expended in responding to the event, and determining a damage cost for an event predicted as an intrusion in (c), wherein said damage cost is determined based on at least one of the group consisting of a technique of the intrusion, a criticality of a component of the computer system subject to the intrusion, and a progress of the intrusion; and
(e) initiating a response to the event if the damage cost is greater than or equal to the response cost.
3 Assignments
0 Petitions
Accused Products
Abstract
A method of detecting an intrusion in the operation of a computer system based on a plurality of events. A rule set is determined for a training set of data comprising a set of features having associated costs. For each of a plurality of events, the set of features is computed and a class is predicted for the features with a rule of the rule set. For each event predicted as an intrusion, a response cost and a damage cost are determined, wherein the damage cost is determined based on such factors as the technique of the intrusion, the criticality of the component of the computer system subject to the intrusion, and a measure of progress of the intrusion. If the damage cost is greater than or equal to the response cost, a response to the event.
124 Citations
35 Claims
-
1. A method of modeling a cost-sensitive intrusion detection model, comprising:
-
(a) generating a training set of data suitable as input for machine learning, said training set of data comprising a set of features having associated costs; (b) automatically determining, using a computer programmed to do so, at least one model based on said training set of data using machine learning; (c) for each of a plurality of events, computing, using a computer programmed to do so, said set of features and predicting a class of said event using said at least one model; (d) determining a response cost to be incurred by a computer system in responding to an event predicted as an intrusion in (c), wherein said response cost is estimated based upon the resources of the computer system to be expended in responding to the event, and determining a damage cost for an event predicted as an intrusion in (c), wherein said damage cost is determined based on at least one of the group consisting of a technique of the intrusion, a criticality of a component of the computer system subject to the intrusion, and a progress of the intrusion; and (e) initiating a response to the event if the damage cost is greater than or equal to the response cost. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method of modeling a cost-sensitive intrusion detection model, using at least one model, comprising:
-
(a) for each of a plurality of events, computing, using a computer programmed to do so, said set of features and predicting a class of said event using said at least one model; (b) determining a response cost to be incurred by a computer system in responding to an event predicted as an intrusion in (a), wherein said response cost is estimated based upon the resources of the computer system to be expended in responding to the event; and
determining a damage cost for an event predicted as an intrusion in (a), wherein said damage cost is determined based on at least one of the group consisting of a technique of the intrusion, a criticality of a component of the computer system subject to the intrusion, and a progress of the intrusion; and(c) initiating a response to the event if the damage cost is greater than or equal to the response cost. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A method of modeling a cost-sensitive intrusion detection model, comprising:
-
(a) generating a training set of data suitable as input for machine learning, said training set of data comprising a set of features having associated costs; (b) automatically determining, using a computer programmed to do so, at least one model based on said training set of data using machine learning; (c) for each of a plurality of events, computing, using a computer programmed to do so, said set of features and predicting a class of said event using said at least one model; (d) determining a response cost to be incurred by a computer system in responding to an event predicted as an intrusion in (c), wherein said response cost is estimated based upon the resources of the computer system to be expended in responding to the event, (e) determining a damage cost for an event predicted as an intrusion in (c), wherein said damage cost is determined based on at least one of the group consisting of a technique of the intrusion, a criticality of a component of the computer system subject to the intrusion, and a progress of the intrusion; (f) determining a metric for comparing the response cost and the damage costs; and (g) initiating a response to the event if the damage cost is greater than or equal to the response cost.
-
Specification