Method and system for adaptive anomaly-based intrusion detection
First Claim
1. A computer implemented method of intrusion detection in an enterprise network, the method comprising:
- a) developing a prediction model to predict expected values of future anomaly scores from real time anomaly scores based on an output of an anomaly detection system derived from an input of network traffic pattern data of the enterprise network in real time under benign conditions;
b) setting an adaptive classification threshold based on the expected values predicted by the prediction model; and
c) classifying unknown observations not within the adaptive classification threshold as possible intrusions;
wherein the expected values of future anomaly scores ({circumflex over (r)}(n+1)) are calculated from the equation;
1 Assignment
0 Petitions
Accused Products
Abstract
The input characteristics of a real-time IDS change continuously with time therefore setting a rigid (time and behavior invariant) classification threshold limits the accuracy that the IDS can potentially achieve. A generic threshold tuning method and system is proposed which can adaptively tune the detection threshold of a real-time IDS in accordance with varying host and network behavior. The method and system perform statistical and information-theoretic analysis of network and host-based IDSs'"'"' anomaly based intrusions to reveal a consistent time correlation structure between benign activity periods which is used to predict future anomaly scores and to adapt an IDS'"'"' detection threshold accordingly.
-
Citations
14 Claims
-
1. A computer implemented method of intrusion detection in an enterprise network, the method comprising:
-
a) developing a prediction model to predict expected values of future anomaly scores from real time anomaly scores based on an output of an anomaly detection system derived from an input of network traffic pattern data of the enterprise network in real time under benign conditions; b) setting an adaptive classification threshold based on the expected values predicted by the prediction model; and c) classifying unknown observations not within the adaptive classification threshold as possible intrusions; wherein the expected values of future anomaly scores ({circumflex over (r)}(n+1)) are calculated from the equation; - View Dependent Claims (2, 3, 8, 9, 10, 13)
-
-
4. A computer implemented method of adjusting an adaptive classification threshold in an intrusion detection system, the intrusion detection system using the adaptive classification threshold to identify possible intrusions, the method comprising:
-
a) tracking a real time anomaly score based on an output of an anomaly detection system derived from an input of network traffic pattern data of an enterprise network in real time using a stochastic prediction model; b) predicting expected values of future anomaly scores from the real time anomaly score of the stochastic prediction model; and c) adjusting the adaptive classification threshold based on the expected values of future anomaly scores; wherein the expected values of future anomaly scores ({circumflex over (r)}(n+1)) are calculated from the equation; - View Dependent Claims (5, 6, 7, 11, 12, 14)
-
Specification