Information Technology Reference
In-Depth Information
MID (misuse intrusion detection). Anomaly detection uses clustering algorithms
because the behavior to find is unlabeled, with no external information sources.
Misuse detection uses classification algorithm because the activity to analyze
requires that detector know how classes are defined.
There are some tradeoffs about the accuracy and range of detection between
clustering and classification. Classification methods deal with predefined data,
so it is able to detect weaker signal and figure out accurate recognition. But
in some cases, it may be biased by incorrect data to train and it is not able
to detect new type of attacks in the sense that the attack does not belong to
any category defined before. On the other hand, clustering is not distorted by
previous knowledge, but therefore needs stronger signal to discovery. At the same
time it can deal with unlabeled attacks because the training doesn't specify what
the detection system is trying to find while clustering go too far to perceive the
activity that is not caused by security incident.
2 Two-Stage Incident Detection
Generally, classification is applied for misuse detection which deal with labeled
data to train. In this paper we apply classification method for both normal and
attack case. As we mentioned before, classification rely on predefined data, so it
is able to process weaker signal and figure out accurate recognition not to alert.
The main purpose of classification of our model is not rather to detect misuse
than to drop the unusual change into normal classes in order to prevent IDS
from calling the false positive alert.
Fig. 1.
In classification process, misuse dataset is added to profile dataset in order to
generate double-layer signature matrix.
