System and method for operating point and box enumeration for interval bayesian detection

US 9,218,486 B2
Filed: 10/22/2013
Issued: 12/22/2015
Est. Priority Date: 10/22/2013
Status: Active Grant

First Claim

Patent Images

1. A processor-implemented method for selecting an operating point of an intrusion detection system in a computer, the method comprising:

determining a true positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values;

determining a false positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values;

calculating a ratio of the true positive rate to the false positive rate of the intrusion detection system at each possible vector of sensor output values;

sorting by the ratio of the true positive rate to the false positive rate;

placing sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system;

selecting a first operating point from the output set for operating the intrusion detection system;

selecting a second operating point from the output set;

operating the intrusion detection system at the first operating point for a first predetermined amount of time; and

operating the intrusion detection system at the second operating point for a second predetermined amount of time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

When using intrusion detection systems, security specialists are concerned with false positive rates and true positive rates. False positives are when an alert is raised, but no actual intrusion occurs. True positives are when an alert is raised for an actual intrusion. Ideally, true positive rate is 1 and false positive rate is zero, but such a situation is impossible in the real world. So one must balance a true positive rate and a false positive rate to produce the best result at the best price. One can simplify the choice of detection sets by, instead of determining each possible operating point of the information detection system, by only choosing operating points that are not dominated by other operating points.

6 Citations

View as Search Results

16 Claims

1. A processor-implemented method for selecting an operating point of an intrusion detection system in a computer, the method comprising:
- determining a true positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values;
  
  determining a false positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values;
  
  calculating a ratio of the true positive rate to the false positive rate of the intrusion detection system at each possible vector of sensor output values;
  
  sorting by the ratio of the true positive rate to the false positive rate;
  
  placing sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system;
  
  selecting a first operating point from the output set for operating the intrusion detection system;
  
  selecting a second operating point from the output set;
  
  operating the intrusion detection system at the first operating point for a first predetermined amount of time; and
  
  operating the intrusion detection system at the second operating point for a second predetermined amount of time.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein:
    - determining the true positive rate for each detector comprises determining the true positive rate for each type of intrusion that each detector is capable of detecting; and
      
      determining the false positive rate for each detector comprises determining the false positive rate for each type of intrusion that each detector is capable of detecting.
  - 3. The method of claim 1 wherein:
    - the first predetermined amount of time and second predetermined amount of time are selected to produce an operating point that is intermediate between the first operating point and the second operating point.
  - 4. The method of claim 1 wherein placing the sorted sensor combinations in an output set comprises:
    - determining a total number of members of the output set, wherein the total number of members is a number of possible combinations of sensor output values;
      
      numbering the sensor combinations from 1 to X, where X is the number of members of the output set;
      
      placing a first combination of sensor output values into the output set as a first member of the output set;
      
      setting the second member of the output set as the union of the first member of the output set and a second combination of sensor output values;
      
      setting the third member of the output set as the union of the second member of the output set and a third combination of sensor output values; and
      
      continuing setting members through the Xth member of the output set.

5. A processor-implemented method for selecting an operating point of an intrusion detection system in a computer system, the method comprising:
- determining a range of true positive rates for each sensor within the intrusion detection system;
  
  determining a range of false positive rates for each sensor within the intrusion detection system;
  
  creating an operating box wherein each operating box comprises the range of true positive rates and the range of false positive rates for the intrusion detection system;
  
  selecting a point within the operating box;
  
  calculating the ratio of the true positive rate to the false positive rate of each selected point;
  
  sorting by the ratio of the true positive rate to the false positive rate;
  
  placing the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; and
  
  selecting a first operating point from the output set.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method of claim 5 wherein selecting a point within the operating box comprises:
    - determining highest true positive rate within the operating box;
      
      determining the lowest false positive rate within the operating box; and
      
      selecting the point with the highest true positive rate and the lowest false positive rate.
  - 7. The method of claim 5 wherein:
    - determining the range of true positive rates for each detector comprises determining the range of true positive rates for each type of intrusion that each detector is capable of detecting; and
      
      determining the range of false positive rates for each detector comprises determining the range of false positive rates for each type of intrusion that each detector is capable of detecting.
  - 8. The method of claim 5 further comprising:
    - selecting a second operating point from the output set;
      
      operating the intrusion detection system at the first operating point for a first predetermined amount of time; and
      
      operating the intrusion detection system at the second operating point for a second predetermined amount of time.
  - 9. The method of claim 6 wherein:
    - the first predetermined amount of time and second predetermined amount of time are selected to produce an operating point that is intermediate between the first operating point and the second operating point.

10. A machine-readable medium comprising a storage device to store instructions including instructions for selecting an operating point of an intrusion detection system, which when executed by a computing device, cause the computing device to:
- determine the true positive rate for the intrusion detection system at each possible vector of sensor output values;
  
  determine the false positive rate for the intrusion detection system at each possible vector of sensor output values;
  
  calculate the ratio of the true positive rate to the false positive rate of the overall intrusion detection system at each possible vector of sensor output values;
  
  sort by the ratio of the true positive rate to the false positive rate;
  
  place the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system;
  
  select a first operating point from the output set;
  
  operate the intrusion detection system at the first operating point select a second operating point from the output set;
  
  operate the intrusion detection system at the first operating point for a first predetermined amount of time; and
  
  operate the intrusion detection system at the second operating point for a second predetermined amount of time.
- View Dependent Claims (11, 12)
- - 11. The machine-readable medium of claim 10 wherein:
    - determining the true positive rate for each detector comprises determining the true positive rate for each type of intrusion that each detector is capable of detecting; and
      
      determining the false positive rate for each detector comprises determining the false positive rate for each type of intrusion that each detector is capable of detecting.
  - 12. The machine-readable medium of claim 10 wherein:
    - the first predetermined amount of time and second predetermined amount of time are selected to produce an operating point that is intermediate between the first operating point and the second operating point.

13. An intrusion detection system comprising:
- a plurality of sensors, each of the plurality of sensors arranged to produce one of a plurality of a sensor output values;
  
  processing circuitry arranged to;
  
  determine a true positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values;
  
  determine a false positive rate for the intrusion detection system at each of a plurality of possible vectors of sensor output values;
  
  calculate a ratio of the true positive rate to the false positive rate of the intrusion detection system at each possible vector of sensor output values;
  
  sort by the ratio of the true positive rate to the false positive rate;
  
  place the sorted sensor combinations in an output set, wherein the output set represents a convex hull set of non-dominated operating points of the intrusion detection system; and
  
  select a first operating point from the output set for operating the intrusion detection system;
  
  select a second operating point from the output set;
  
  operate the intrusion detection system at the first operating point for a first predetermined amount of time; and
  
  operate the intrusion detection system at the second operating point for a second predetermined amount of time.
- View Dependent Claims (14, 15, 16)
- - 14. The intrusion detection system of claim 13 wherein the processing circuitry is further arranged to:
    - determine the true positive rate for each detector comprises determining the true positive rate for each type of intrusion that each detector is capable of detecting; and
      
      determine the false positive rate for each detector comprises determining the false positive rate for each type of intrusion that each detector is capable of detecting.
  - 15. The intrusion detection system of claim 13 wherein:
    - the first predetermined amount of time and second predetermined amount of time are selected to produce an operating point that is intermediate between the first operating point and the second operating point.
  - 16. The intrusion detection system of claim 13 wherein placing the sorted sensor combinations in an output set comprises:
    - determining a total number of members of the output set, wherein the total number of members is a number of possible combinations of sensor output values;
      
      numbering the sensor combinations from 1 to X, where X is the number of members of the output set;
      
      placing a first combination of sensor output values into the output set as a first member of the output set;
      
      setting the second member of the output set as the union of the first member of the output set and a second combination of sensor output values;
      
      setting the third member of the output set as the union of the second member of the output set and a third combination of sensor output values; and
      
      continuing setting members through the Xth member of the output set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Raytheon Company (Rtx Corporation)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Cole, Robert J.
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US14/059,832
Publication Number

US 20150113645A1
Time in Patent Office

791 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

System and method for operating point and box enumeration for interval bayesian detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

System and method for operating point and box enumeration for interval bayesian detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others