Person:
Lee, Wenke

Permanent Link
https://hdl.handle.net/1853/71448
Associated Organization(s)
Organizational Unit
ORCID
ArchiveSpace Name Record

Filters

2004 - 2005 2
2
2
2
2
2
Reset filters

Settings
Author: Gu, Guofei ×

Publication Search Results

Now showing 1 - 2 of 2
  • Thumbnail Image
    Item
    An Information-Theoretic Measure of Intrusion Detection Capability
    (Georgia Institute of Technology, 2005) Gu, Guofei ; Fogla, Prahlad ; Dagon, David ; Lee, Wenke ; Skoric, Boris
    A fundamental problem in intrusion detection is what metric(s) can be used to objectively evaluate an intrusion detection system (IDS) in terms of its ability to correctly classify events as normal or intrusion. In this paper, we provide an in-depth analysis of existing metrics. We argue that the lack of a single unified metric makes it difficult to fine tune and evaluate an IDS. The intrusion detection process can be examined from an information-theoretic point of view. Intuitively, we should have less uncertainty about the input (event data) given the IDS output (alarm data). We thus propose a new metric called Intrusion Detection Capability, C[subscript ID], which is simply the ratio of the mutual information between IDS input and output, and the entropy of the input. C[subscript ID] has the desired property that: (1) it takes into account all the important aspects of detection capability naturally, i.e., true positive rate, false positive rate, positive predictive value, negative predictive value, and base rate; (2) it objectively provide an intrinsic measure of intrusion detection capability; (3) it is sensitive to IDS operation parameters. We propose that C[subscript ID] is the appropriate performance measure to maximize when fine tuning an IDS. The thus obtained operation point is the best that can be achieved by the IDS in terms of its intrinsic ability to classify input data. We use numerical examples as well as experiments of actual IDSs on various datasets to show that using C[subscript ID], we can choose the best (optimal) operating point for an IDS, and can objectively compare different IDSs.
  • Thumbnail Image
    Item
    Worm Detection Using Local Networks
    (Georgia Institute of Technology, 2004) Qin, Xinzhou ; Dagon, David ; Gu, Guofei ; Lee, Wenke
    The need for a global monitoring system for Internet worm detection is clear. Likewise, the need for local detection and response is also obvious. In this study, we used a large data set to review some of the worm monitoring and detection strategies proposed for large networks, and found them difficult to apply to local networks. In particular, the Kalman filter and victim number-based approaches proved unsuitable for smaller networks. They are of course appropriate for large systems, but what work well for local networks? We propose two algorithms tailored for local network monitoring needs. First, the Destination Source Correlation (DSC) algorithm focuses on the infection relation, and tracks real infected hosts (and not merely scans) to provide an accurate response. Second, the HoneyStat system provides a way to track the short-term infection behavior used by worms. Potentially, this provides a basis for statistical inference about a worm’s behavior on a network.