Weighting versus Pruning in Rule Validation for Detecting Network and Host Anomalies
author:
Gaurav Tandon ,
Florida Institute of Technology
Description
For intrusion detection, the LERAD algorithm learns a succinct set of comprehensible rules for detecting anomalies, which could be novel attacks. LERAD validates the learned rules on a separate held-out validation set and removes rules that cause false alarms. However, removing rules with possible high coverage can lead to missed detections. We propose to retain these rules and associate weights to them. We present three weighting schemes and our empirical results indicate that, for LERAD, rule weighting can detect more attacks than pruning with minimal computational overhead.
You might be experiencing some problems with Your Video player.
| Slides | |
| 0:03 | Intrusion Detection Systems |
| 0:22 | Learning Rules for Anomaly Detection (LERAD) |
| 2:05 | Aspects of Rule Quality |
| 2:38 | Predictiveness vs. Belief for LERAD rule |
| 3:14 | Motivation and Problem Statement |
| 3:57 | Overview of LERAD |
| 4:47 | Anomaly score |
| 5:53 | Revisit Validation Step |
| 6:01 | Rule Pruning (1) |
| 6:52 | Rule Pruning (2) |
| 7:08 | Case 1 - Rule Conformed (Rule Pruning) |
| 7:55 | Case 2 - Rule Violated (Rule Pruning) |
| 8:16 | LERAD Rule Generation |
| 8:25 | Coverage and Rule Pruning |
| 8:45 | LERAD Rule Generation |
| 8:51 | Rule Weighting |
| 9:31 | Case 1 - Rule Conformed (Rule Weighting) |
| 10:19 | Case 2 - Rule Violated (Rule Weighting) |
| 11:11 | Anomaly Score |
| 11:59 | Weighting Method 1: Winnow-specialist |
| 12:39 | Weighting Method 2: Equal Reward Apportioning |
| 13:09 | Weighting Method 3: Weight of Evidence |
| 13:43 | Empirical Evaluation |
| 15:00 | AUC% (0.1% FA) [Random detector AUC= 0.005%] |
| 15:39 | AUC% (1% FA) [Random detector AUC= 0.5%] |
| 15:53 | Analysis of new attack(s) detected by rule weighting |
| 16:42 | Overhead |
| 16:51 | Summary |
Lecture rating
| People found this lecture: | ||
| Worth seeing | ||
| because it is: | ||
| Valuable and informative | ||
| Well presented | ||
| Easily understandable | ||
| Acceptably recorded | ||
| You need to login to cast your vote. | ||
Report a problem or upload files
If you have found a problem with this lecture or would like to send us extra material, articles, exercises, etc., please use our ticket system to describe your request and upload the data.Enter your e-mail into the 'Cc' field, and we will keep you updated with your request's status.
Related content
10 comments
SEE ALSO:
Download slides:
Tandon_kdd07talk.ppt (245.5 KB)
Launch in a standalone WM PlayerSwitch to Windows Media Player
View slides
Streaming Video Help
Windows Media Player Firefox Plugin - Download
Link this page
Would you like to put a link to this lecture on your homepage?Go ahead! Copy the HTML snippet !
