The base-rate fallacy and its implications for the difficulty of intrusion detection

Axelsson, Stefán

doi:10.1145/319709.319710

Cited by 215 publications

(184 citation statements)

References 8 publications

Supporting

Mentioning

180

Contrasting

Unclassified

Order By: Relevance

“…Moreover, since the detector is based on data matrices only, update schemes seem worthwhile to explore. Currently, we are investigating mechanisms of dynamic feedback control for equation (3) as well ways to update the data matrix in order to adjust to evolving usage patterns. In another direction, combining statistical detection methods and semantic descriptions, i.e.…”

Section: Resultsmentioning

confidence: 99%

“…In order to do this, we resort to a simple method of choosing the top 3, 6, and 9 deviations from within the 200 day test data set and check if the malware induced days are among them 3 In this context, the precision measures the percentage of these deviations actually belonging to the malware set and recall the percentage of malware detected in the set of given deviations. Ideally, recall should be 1 and precision {1, 0.5, 0.33} for {3, 6, 9} preset deviations, respectively.…”

Section: Feature (In Numbers Per Day)mentioning

confidence: 99%

“…The base-rate fallacy captures the essence of this problem. Even if the detection scheme achieves low false-negative and false-positive rates, the legitimate network traffic is much higher in volume than the malware traffic that the number of false alarms is substantial [3]. In other words, most of the time detection process is similar to searching for a needle in a haystack, and current methods are often not good enough to find "the needle" without processing a lot of "hay".…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Probabilistic Diffusion Scheme for Anomaly Detection on Smartphones

Alpcan

Bauckhage

Schmidt

2010

Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices

View full text Add to dashboard Cite

Abstract. Widespread use and general purpose computing capabilities of next generation smartphones make them the next big targets of malicious software (malware) and security attacks. Given the battery, computing power, and bandwidth limitations inherent to such mobile devices, detection of malware on them is a research challenge that requires a different approach than the ones used for desktop/laptop computing. We present a novel probabilistic diffusion scheme for detecting anomalies possibly indicating malware which is based on device usage patterns. The relationship between samples of normal behavior and their features are modeled through a bipartite graph which constitutes the basis for the stochastic diffusion process. Subsequently, we establish an indirect similarity measure among sample points. The diffusion kernel derived over the feature space together with the Kullback-Leibler divergence over the sample space provide an anomaly detection algorithm. We demonstrate its applicability in two settings using real world mobile phone data. Initial experiments indicate that the diffusion algorithm outperforms others even under limited training data availability.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Feature (In Numbers Per Day)mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Probabilistic Diffusion Scheme for Anomaly Detection on Smartphones

Alpcan

Bauckhage

Schmidt

2010

Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices

View full text Add to dashboard Cite

show abstract

“…Our goal of the evaluation on another crawled dataset is to test the actual operation and user experience without the ground truth from URL analysis by computing the Bayesian detection rate [21] -the probability of actually being at least a suspicious spammer, whenever an account is reported by the detection system. Specifically, we use Data set I, which has been labeled, as the training data set, and Data set II as the testing data.…”

Section: Evaluation On Dataset IImentioning

confidence: 99%

Die Free or Live Hard? Empirical Evaluation and New Design for Fighting Evolving Twitter Spammers

Yang

Harkreader

2011

Lecture Notes in Computer Science

186

141

View full text Add to dashboard Cite

Abstract. Due to the significance and indispensability of detecting and suspending Twitter spammers, many researchers along with the engineers in Twitter Corporation have devoted themselves to keeping Twitter as spam-free online communities. Meanwhile, Twitter spammers are also evolving to evade existing detection techniques. In this paper, we make an empirical analysis of the evasion tactics utilized by Twitter spammers, and then design several new and robust features to detect Twitter spammers. Finally, we formalize the robustness of 24 detection features that are commonly utilized in the literature as well as our proposed ones. Through our experiments, we show that our new designed features are effective to detect Twitter spammers, achieving a much higher detection rate than three state-of-the-art approaches [35,32,34] while keeping an even lower false positive rate.

show abstract

“…In order to evaluate the effectiveness [15] of IDS the use of Receiver Operating Characteristic (ROC) has been largely proposed [16], [17], [15], [18]. ROC curves plot detection rate versus false alarm rate.…”

Section: Introductionmentioning

confidence: 99%

Adaptive Agents Applied to Intrusion Detection

Carbó

Orfila

Ribagorda

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This paper proposes a system of agents that make predictions over the presence of intrusions. Some of the agents act as predictors implementing a given Intrusion Detection model, sniffing out the same traffic. An assessment agent weights the forecasts of such predictor agents, giving a final binary conclusion using a probabilistic model. These weights are continuously adapted according to the previous performance of each predictor agent. Other agent establishes if the prediction from the assessor agent was right or not, sending him back the results. This process is continually repeated and runs without human interaction. The effectiveness of our proposal is measured with the usual method applied in Intrusion Detection domain: Receiver Operating Characteristic curves (detection rate versus false alarm rate). Results of the adaptive agents applied to intrusion detection improve ROC curves as it is shown in this paper.

show abstract

The base-rate fallacy and its implications for the difficulty of intrusion detection

Cited by 215 publications

References 8 publications

A Probabilistic Diffusion Scheme for Anomaly Detection on Smartphones

A Probabilistic Diffusion Scheme for Anomaly Detection on Smartphones

Die Free or Live Hard? Empirical Evaluation and New Design for Fighting Evolving Twitter Spammers

Adaptive Agents Applied to Intrusion Detection

Contact Info

Product

Resources

About