Techniques for Improving Intrusion Detection

• Intrusion detection systems (IDSs) have become a vital part of operational computer security. They are the last line of defense against malicious hackers and help to detect ongoing attacks and mitigate their damage. Intrusion detection systems are not turnkey solutions, however, but are heavily dependent on expensive and scarce security expertise to ensure their successful operation. In this thesis, I have suggested techniques to improve the functionality of the intrusion detection system in order to achieve an improved overall performance andfacilitate the work of the site-security officer. Firstly, by investigating the data collection process, I have shown how to collect securityrelevant events directly from an application as well as the advantages of integrating parts of the IDS with the application being monitored. Ihave also shown how to make use of data from multiple audit sources or even multiple intrusion detection systems, whether attack-related or not, and how to take the quality of these data into account in the analysis process. I have studied how the expertise of the site-securityofficer can be captured and transferred into models that can be used by the IDS. I have applied active learning to support vector machines in order to reduce the amount of data needed for a self-learning IDS. I have also presented a reasoning framework in the form of a Bayesiannetwork to reason qualitatively about a combination of alerts. As a growing number of attacks against computer systems are executed faster than a human protector can respond, I have also explored an intrusion-tolerant system. Such a system can automatically trade off performance for a certain amount of attack resistance. I am confident that the combination of these research efforts will significantlyimprove the usability and performance of intrusion detection systems.

Subject headings

NATURVETENSKAP  -- Data- och informationsvetenskap -- Datorteknik (hsv//swe)

NATURAL SCIENCES  -- Computer and Information Sciences -- Computer Engineering (hsv//eng)

NATURVETENSKAP  -- Data- och informationsvetenskap -- Datavetenskap (hsv//swe)

NATURAL SCIENCES  -- Computer and Information Sciences -- Computer Sciences (hsv//eng)

Keyword

IDS cooperation

IDS response

application-integrated IDS

computer security

intrusion detection

alert reasoning

Publication and Content Type

dok (subject category)

vet (subject category)