Combining a Bayesian Classifier with Visualisation: Understanding the IDS

Other conference contribution, 2004

Despite several years of intensive study, intrusion detection systems still suffer from two key deficiencies: Low detection rates and a high rate of false alarms. To counteract these drawbacks an interactive detection system based on simple Bayesian statistics combined with a visualisation component is proposed, in the hope that this lets the operator better understand how exactly the intrusion detection system is operating. The resulting system is applied to the log of a webserver. The combination proved to be effective. The Bayesian classifier was reasonably effective in learning to differentiate between benign and malicious accesses, and the visualisation component enabled the operator to discern when the intrusion detection system was correct in its output and when it was not, and to take corrective action, re-training the system interactively, until the desired level of performance was reached.