An Information-Theoretic Framework for Evaluating and Optimizing Intrusion Detection Performance

Abstract

We conducted in-depth study of performance metrics used in evaluating intrusion detection systems. We define Intrusion Detection Capability as the ratio of mutual information between the IDS input and output to the entropy of the input. It integrates all the important factors into a single metric. We showed that this new metric is very sensitive to IDS operation parameters. We also defined information-theoretic metrics to measure the effectiveness of an IDS in terms of feature representation capability, classification information loss and the overall intrusion detection capability. We showed that intrusion detection capability is equal to the feature representation capability minus the classification information loss. Finally, we proposed a decision-theoretic IDS alert fusion technique based on the likelihood ratio test (LRT).

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2008
Accession Number
ADA500390

Entities

People

  • Wenke Lee

Organizations

  • Georgia Tech

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Abstracts
  • Agreements
  • Classification
  • Computers
  • Contract Administration
  • Cybersecurity
  • Department Of Defense
  • Detection
  • Detectors
  • Engineering
  • Information Theory
  • Intrusion
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Mathematics
  • Security

Fields of Study

  • Computer science

Readers

  • Computer Vision.
  • Cybersecurity.
  • Regression Analysis.