Improving the effectiveness of intrusion detection systems for hierarchical data

摘要

A high false alarm rate of anomaly-based, on-line, high throughput intrusion detection systems (IDS) is a serious concern, often rendering these IDSs impractical for use in real-world systems. The usual approach to this problem is to try to decrease or limit the false alarm rate. However, IDSs that adopt this approach are usually attack or algorithm specific and are not considered generally applicable. In this paper, we propose a general method for lowering the false positive rate (FPR) of any existing state-of-the-art anomaly-based IDS for hierarchical data, while minimizing the potential decrease in the detection rate. This is done by automatically learning the underlying hierarchy of sub-classes from a dataset of normal instances and iteratively applying the IDS on each sub-class. Compared to previous work, our method is more practical because it does not require users to possess any knowledge about the data’s hierarchical structure or make assumptions about its distribution. We evaluate our method’s ability to improve the effectiveness of recent state-of-the-art IDSs on a variety of attacks on operational networks of IP cameras and IoT devices as well as attacks on the MIL-STD-1553 communication protocol. We test numerous configurations of all IDSs and show that our method can improve detection performance in more than 98% of our tests. We demonstrate that our method can improve IDSs that operate on any type of data, e.g. independent feature vector data instances or sequences of dependent data records. By evaluating on datasets with different attack occurrence rates, we also demonstrate that our ability to improve an IDS’s effectiveness becomes more significant as attacks occur more rarely. This further emphasizes our method’s contribution to real-life intrusion detection scenarios in which the attack occurrence rates can be very low.