Attackers can use automated scripts to generate a very high volume of intrusions to overwhelm an IDS and its operational staff, and then launch the intended and more serious attacks which may now go undetected. The limited time and resources therefore need to be focused on detecting the most damaging intrusions. In other words, a high statistical accuracy should not be the main goal of an IDS; rather, the more important goal should be the maximum reduction in intrusion damage cost with minimum IDS operational cost. The objective of this project is to study the theoretical foundations and the development approaches for cost-sensitive intrusion detection systems. In particular, we are focusing on: study of the cost factors, cost models, and cost metrics related to intrusion detection; development of automated techniques for building cost-sensitive models that are optimized for user-defined cost metrics; and design of a system architecture for dynamically activating and configuring light intrusion detection modules that each specializes for a set of similar intrusions.
Approach:
The approach is to incorporate the cost factors, models, and metrics related to intrusion detection into the process of extracting and constructing features, building models, and designing system architectures. In prior work, the related DARPA funded JAM project, we have developed a set of data mining techniques for automatically computing intrusion detection models from large amount of audit data. In this research, we will extend these algorithms with cost-sensitive capabilities.
Computational cost of the features can be used to estimate the operational cost of an IDS. This project will develop feature-cost-sensitive data mining algorithms that can automatically select and construct the lowest-cost features for intrusion detection models while maintaining the desired level of statistical accuracy. An IDS cost model specifies the action policy for each intrusion based on whether its damage cost is greater than its response cost. That is, intrusions with very low damage cost but high response cost may be ignored. This project will develop techniques for automatically generating intrusion-cost-sensitive decision engine, based on site-specific cost models and metrics, to appropriately post-process outputs of the intrusion detection modules.
An IDS that runs all detection modules in a single process can become an easy target for subversion and is not cost-effective. This project will develop cluster analysis techniques that categorize intrusions into groups. Each group of similar intrusions share a similar set of features. A specialized and light intrusion detection module is built for each group. These independent modules are activated or deactivated in run-time according to the site-specific security goals and cost constraints.