Towards an Information-Theoretic Framework for Analyzing Intrusion Detection Systems

Model: Treat IDS as a black box Intrusion detection capability CID = I(X ;Y ) H(X) ): How much (normalized) ground truth information an IDS can identify [Gu et al. ASIACCS’06] take into account all aspects of detection capability an intrinsic measure of intrusion detection capability an objective trade-off between FP and FN (without involving subjective cost) yields a series of related information-theoretic metrics very sensitive and easy to demonstrate the effect of subtle changes of an IDS Guofei Gu et al. An Information-Theoretic Framework for Analyzing IDSs Motivation An Information-Theoretic Framework for Analyzing IDSs Experiments Summary Modeling an IDS Connection to Information Theory Simplified Model Analysis Implication Sensitivity analysis 10 −7 10 −6 10 −5 10 −4 10 −3 10 −4 10 −2 10 0 10 2 10 4 10 6 Percent of Intrusion data (base rate B) D er iv at iv e (in a bs ol ut e va lu e) |∂P e /∂B| |∂C ID /∂B| 10 −3 10 −2 10 −1 10 −1 10 0 10 1 10 2 False Positive Rate (α) D er iv at iv e (in a bs ol ut e va lu e) |∂P e /∂α| |∂C ID /∂α| 10 −3 10 −2 10 −1 10 −5 10 −4 10 −3 10 −2 10 −1 10 0 10 1 False Negative Rate (β) D er iv at iv e (in a bs ol ut e va lu e) |∂P e /∂β| |∂C ID /∂β| Guofei Gu et al. An Information-Theoretic Framework for Analyzing IDSs Motivation An Information-Theoretic Framework for Analyzing IDSs Experiments Summary Modeling an IDS Connection to Information Theory Simplified Model Analysis Implication