The Utility of Partial Knowledge in Behavior Models: An Evaluation for Intrusion Detection

Abstract

To enlarge the detection capability of an incomplete behavior model, model generalization is necessary to make every behavior signature identify more behavior instances. In this paper, based on a general intrusion detection framework, M out of N features in a behavior signature are utilized to detect the behaviors (M ≤ N) instead of using all N features. This is because M of N features in a signature can generalize the behavior model to incorporate unknown behaviors, which are useful to detect novel intrusions outside the known behavior model. However, the preliminary experimental results show that all features of any signature should be fully utilized for intrusion detection instead of M features in it. This is because theM ofN features scheme will make the behavior identification capability of the behavior model lost by detecting most behaviors as ‘anomalies’ or ‘alarms’.

Extracted Key Phrases

7 Figures and Tables

Cite this paper

@article{Li2005TheUO, title={The Utility of Partial Knowledge in Behavior Models: An Evaluation for Intrusion Detection}, author={Zhuowei Li and Amitabha Das}, journal={I. J. Network Security}, year={2005}, volume={1}, pages={138-146} }