Increasing coverage to improve detection of network and host anomalies
作者:Gaurav Tandon, Philip K. Chan
摘要
For intrusion detection, the LERAD algorithm learns a succinct set of comprehensible rules for detecting anomalies, which could be novel attacks. LERAD validates the learned rules on a separate held-out validation set and removes rules that cause false alarms. However, removing rules with possible high coverage can lead to missed detections. We propose three techniques for increasing coverage—Weighting, Replacement and Hybrid. Weighting retains previously pruned rules and associate weights to them. Replacement, on the other hand, substitutes pruned rules with other candidate rules to ensure high coverage. We also present a Hybrid approach that selects between the two techniques based on training data coverage. Empirical results from seven data sets indicate that, for LERAD, increasing coverage by Weighting, Replacement and Hybrid detects more attacks than Pruning with minimal computational overhead.
论文关键词:Rule learning, Anomaly detection, Rule pruning, Rule weighting, Rule replacement
论文评审过程:
论文官网地址:https://doi.org/10.1007/s10994-009-5145-3