System and method for operating point and box enumeration for interval bayesian detection
First Claim
1. A processor-implemented method for selecting an operating point of an intrusion detection system in a computer, the method comprising:
- determining a true positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values;
determining a false positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values;
calculating a ratio of the true positive rate to the false positive rate of the intrusion detection system at each possible vector of sensor output values;
sorting by the ratio of the true positive rate to the false positive rate;
placing sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system;
selecting a first operating point from the output set for operating the intrusion detection system;
selecting a second operating point from the output set;
operating the intrusion detection system at the first operating point for a first predetermined amount of time; and
operating the intrusion detection system at the second operating point for a second predetermined amount of time.
1 Assignment
0 Petitions
Accused Products
Abstract
When using intrusion detection systems, security specialists are concerned with false positive rates and true positive rates. False positives are when an alert is raised, but no actual intrusion occurs. True positives are when an alert is raised for an actual intrusion. Ideally, true positive rate is 1 and false positive rate is zero, but such a situation is impossible in the real world. So one must balance a true positive rate and a false positive rate to produce the best result at the best price. One can simplify the choice of detection sets by, instead of determining each possible operating point of the information detection system, by only choosing operating points that are not dominated by other operating points.
6 Citations
16 Claims
-
1. A processor-implemented method for selecting an operating point of an intrusion detection system in a computer, the method comprising:
-
determining a true positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values; determining a false positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values; calculating a ratio of the true positive rate to the false positive rate of the intrusion detection system at each possible vector of sensor output values; sorting by the ratio of the true positive rate to the false positive rate; placing sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; selecting a first operating point from the output set for operating the intrusion detection system; selecting a second operating point from the output set; operating the intrusion detection system at the first operating point for a first predetermined amount of time; and operating the intrusion detection system at the second operating point for a second predetermined amount of time. - View Dependent Claims (2, 3, 4)
-
-
5. A processor-implemented method for selecting an operating point of an intrusion detection system in a computer system, the method comprising:
-
determining a range of true positive rates for each sensor within the intrusion detection system; determining a range of false positive rates for each sensor within the intrusion detection system; creating an operating box wherein each operating box comprises the range of true positive rates and the range of false positive rates for the intrusion detection system; selecting a point within the operating box; calculating the ratio of the true positive rate to the false positive rate of each selected point; sorting by the ratio of the true positive rate to the false positive rate; placing the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; and selecting a first operating point from the output set. - View Dependent Claims (6, 7, 8, 9)
-
-
10. A machine-readable medium comprising a storage device to store instructions including instructions for selecting an operating point of an intrusion detection system, which when executed by a computing device, cause the computing device to:
-
determine the true positive rate for the intrusion detection system at each possible vector of sensor output values; determine the false positive rate for the intrusion detection system at each possible vector of sensor output values; calculate the ratio of the true positive rate to the false positive rate of the overall intrusion detection system at each possible vector of sensor output values; sort by the ratio of the true positive rate to the false positive rate; place the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; select a first operating point from the output set; operate the intrusion detection system at the first operating point select a second operating point from the output set; operate the intrusion detection system at the first operating point for a first predetermined amount of time; and operate the intrusion detection system at the second operating point for a second predetermined amount of time. - View Dependent Claims (11, 12)
-
-
13. An intrusion detection system comprising:
-
a plurality of sensors, each of the plurality of sensors arranged to produce one of a plurality of a sensor output values; processing circuitry arranged to; determine a true positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values; determine a false positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values; calculate a ratio of the true positive rate to the false positive rate of the intrusion detection system at each possible vector of sensor output values; sort by the ratio of the true positive rate to the false positive rate; place the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; and select a first operating point from the output set for operating the intrusion detection system; select a second operating point from the output set; operate the intrusion detection system at the first operating point for a first predetermined amount of time; and operate the intrusion detection system at the second operating point for a second predetermined amount of time. - View Dependent Claims (14, 15, 16)
-
Specification