Techniques for Improving Intrusion Detection

Doctoral thesis, 2008

Intrusion detection systems (IDSs) have become a vital part of operational computer security. They are the last line of defense against malicious hackers and help to detect ongoing attacks and mitigate their damage. Intrusion detection systems are not turnkey solutions, however, but are heavily dependent on expensive and scarce security expertise to ensure their successful operation. In this thesis, I have suggested techniques to improve the functionality of the intrusion detection system in order to achieve an improved overall performance and facilitate the work of the site-security officer. Firstly, by investigating the data collection process, I have shown how to collect securityrelevant events directly from an application as well as the advantages of integrating parts of the IDS with the application being monitored. I have also shown how to make use of data from multiple audit sources or even multiple intrusion detection systems, whether attack-related or not, and how to take the quality of these data into account in the analysis process. I have studied how the expertise of the site-security officer can be captured and transferred into models that can be used by the IDS. I have applied active learning to support vector machines in order to reduce the amount of data needed for a self-learning IDS. I have also presented a reasoning framework in the form of a Bayesian network to reason qualitatively about a combination of alerts. As a growing number of attacks against computer systems are executed faster than a human protector can respond, I have also explored an intrusion-tolerant system. Such a system can automatically trade off performance for a certain amount of attack resistance. I am confident that the combination of these research efforts will significantly improve the usability and performance of intrusion detection systems.