Techniques for Improving Intrusion Detection
Doktorsavhandling, 2008

Intrusion detection systems (IDSs) have become a vital part of operational computer security. They are the last line of defense against malicious hackers and help to detect ongoing attacks and mitigate their damage. Intrusion detection systems are not turnkey solutions, however, but are heavily dependent on expensive and scarce security expertise to ensure their successful operation. In this thesis, I have suggested techniques to improve the functionality of the intrusion detection system in order to achieve an improved overall performance and facilitate the work of the site-security officer. Firstly, by investigating the data collection process, I have shown how to collect securityrelevant events directly from an application as well as the advantages of integrating parts of the IDS with the application being monitored. I have also shown how to make use of data from multiple audit sources or even multiple intrusion detection systems, whether attack-related or not, and how to take the quality of these data into account in the analysis process. I have studied how the expertise of the site-security officer can be captured and transferred into models that can be used by the IDS. I have applied active learning to support vector machines in order to reduce the amount of data needed for a self-learning IDS. I have also presented a reasoning framework in the form of a Bayesian network to reason qualitatively about a combination of alerts. As a growing number of attacks against computer systems are executed faster than a human protector can respond, I have also explored an intrusion-tolerant system. Such a system can automatically trade off performance for a certain amount of attack resistance. I am confident that the combination of these research efforts will significantly improve the usability and performance of intrusion detection systems.

IDS cooperation

IDS response

application-integrated IDS

computer security

intrusion detection

alert reasoning

Vasa A, Vera Sandbergs Allé 8, Chalmers University of Technology
Opponent: Dr. Robert K. Cunningham, MIT Lincoln Laboratory, USA


Magnus Almgren

Chalmers, Data- och informationsteknik, Datorteknik

Tuning an IDS - Learning the User's Preferences

The 11th Nordic Workshop on Secure IT-systems,; (2006)

Paper i proceeding

A Multi-Sensor Model to Improve Automated Attack Detection

11th International Symposium, RAID 2008, Cambridge, MA, USA, September 15-17, 2008. Lecture Notes in Computer Science,; Vol. 5230/2008(2008)p. 291-310

Paper i proceeding

Investigating the Benefits of Using Multiple Intrusion-Detection Sensors

The 13th Nordic Workshop on Secure IT-systems. Published by the Technical University of Denmark.,; (2008)p. 13-26

Paper i proceeding

A Comparison of Alternative Audit Sources for Web Server Attack Detection

The 12th Nordic Workshop on Secure IT-systems,; (2007)

Paper i proceeding

Implications of IDS Classification on Attack Detection

Nordic Workshop on Secure IT Systems (NordSec),; (2003)p. 57--70-

Paper i proceeding

Using Active Learning in Intrusion Detection

Computer Security Foundations Workshop,; (2004)p. 88--98-

Paper i proceeding



Datavetenskap (datalogi)



Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 2875

Technical report - Department of Computer Science and Engineering, Chalmers University of Technology and Göteborg University: 51D

Vasa A, Vera Sandbergs Allé 8, Chalmers University of Technology

Opponent: Dr. Robert K. Cunningham, MIT Lincoln Laboratory, USA