Visible to the public An Adaptive Threshold Method for Anomaly-based Intrusion Detection Systems

TitleAn Adaptive Threshold Method for Anomaly-based Intrusion Detection Systems
Publication TypeConference Paper
Year of Publication2019
AuthorsChae, Younghun, Katenka, Natallia, DiPippo, Lisa
Conference Name2019 IEEE 18th International Symposium on Network Computing and Applications (NCA)
Date Publishedsep
Keywordsabnormal behaviors, Adaptive systems, adaptive threshold method, ADS, anomaly detection, Anomaly-based Detection Systems attempt, anomaly-based Intrusion Detection Systems, Bipartite graph, composability, computer network security, cybersecurity, dynamic environment, dynamic network environment, Internet, intrusion, IP networks, Metrics, Microsoft Windows, network intrusion detection, Network security, normal behaviors, normal data instances, Peer-to-peer computing, probability, pubcrawl, Resiliency, statistical analysis, Statistics, suspicious behaviors, Trust, Trust management
AbstractAnomaly-based Detection Systems (ADSs) attempt to learn the features of behaviors and events of a system and/or users over a period to build a profile of normal behaviors. There has been a growing interest in ADSs and typically conceived as more powerful systems One of the important factors for ADSs is an ability to distinguish between normal and abnormal behaviors in a given period. However, it is getting complicated due to the dynamic network environment that changes every minute. It is dangerous to distinguish between normal and abnormal behaviors with a fixed threshold in a dynamic environment because it cannot guarantee the threshold is always an indication of normal behaviors. In this paper, we propose an adaptive threshold for a dynamic environment with a trust management scheme for efficiently managing the profiles of normal and abnormal behaviors. Based on the assumption of the statistical analysis-based ADS that normal data instances occur in high probability regions while malicious data instances occur in low probability regions of a stochastic model, we set two adaptive thresholds for normal and abnormal behaviors. The behaviors between the two thresholds are classified as suspicious behaviors, and they are efficiently evaluated with a trust management scheme.
DOI10.1109/NCA.2019.8935045
Citation Keychae_adaptive_2019