An Adaptive Threshold Method for Anomaly-based Intrusion Detection Systems
Date of Original Version
Anomaly-based Detection Systems (ADSs) attempt to learn the features of behaviors and events of a system and/or users over a period to build a profile of normal behaviors. There has been a growing interest in ADSs and typically conceived as more powerful systems One of the important factors for ADSs is an ability to distinguish between normal and abnormal behaviors in a given period. However, it is getting complicated due to the dynamic network environment that changes every minute. It is dangerous to distinguish between normal and abnormal behaviors with a fixed threshold in a dynamic environment because it cannot guarantee the threshold is always an indication of normal behaviors. In this paper, we propose an adaptive threshold for a dynamic environment with a trust management scheme for efficiently managing the profiles of normal and abnormal behaviors. Based on the assumption of the statistical analysis-based ADS that normal data instances occur in high probability regions while malicious data instances occur in low probability regions of a stochastic model, we set two adaptive thresholds for normal and abnormal behaviors. The behaviors between the two thresholds are classified as suspicious behaviors, and they are efficiently evaluated with a trust management scheme.
Publication Title, e.g., Journal
2019 IEEE 18th International Symposium on Network Computing and Applications, NCA 2019
Chae, Younghun, Natallia Katenka, and Lisa Dipippo. "An Adaptive Threshold Method for Anomaly-based Intrusion Detection Systems." 2019 IEEE 18th International Symposium on Network Computing and Applications, NCA 2019 (2019). doi: 10.1109/NCA.2019.8935045.