An intrusion detection system (IDS) is a security layer to detect ongoing intrusive activities in computer systems and networks. Current IDS have two main problems: The first problem is that typically so many alarms are generated as to overwhelm the system operator, many of these being false alarms. The second problem is that continuous tuning of the intrusion detection model is required in order to maintain sufficient performance due to the dynamically changing nature of the monitored system. This manual tuning process relies on the system operators to work out the updated tuning solution and to integrate it into the detection model. In this article, we present an automatically tuning intrusion detection system, which controls the number of alarms output to the system operator and tunes the detection model on the fly according to feedback provided by the system operator when false predictions are identified. This system adapts its behavior (i) by throttling the volume of alarms output to the operator in response to the ability of the operator to respond to these alarms, and (ii) by deciding how aggressively the detection model should be tuned based on the accuracy of earlier predictions. We evaluated our system using the KDDCup'99 intrusion detection dataset. Our results show that an adaptive, automatically tuning intrustion detection system will be both practical and efficient.
ACM Transactions on Autonomous and Adaptive Systems (TAAS) – Association for Computing Machinery
Published: Aug 1, 2008