A New, Principled Approach to Anomaly Detection

Intrusion detection is often described as having two main approaches: signature-based and anomaly-based. We argue that only unsupervised methods are suitable for detecting anomalies. However, there has been a tendency in the literature to conflate the notion of an anomaly with the notion of a malici...

Full description

Saved in:
Bibliographic Details
Main Authors: Ferragut, E. M., Laska, J., Bridges, R. A.
Format: Conference Proceeding
Language:English
Subjects:
anomaly detection
Computer security
Context
cyber security
Gaussian distribution
intrusion detection
IP networks
Probabilistic logic
probabilistic model
Probability distribution
Vectors
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Intrusion detection is often described as having two main approaches: signature-based and anomaly-based. We argue that only unsupervised methods are suitable for detecting anomalies. However, there has been a tendency in the literature to conflate the notion of an anomaly with the notion of a malicious event. As a result, the methods used to discover anomalies have typically been ad hoc, making it nearly impossible to systematically compare between models or regulate the number of alerts. We propose a new, principled approach to anomaly detection that addresses the main shortcomings of ad hoc approaches. We provide both theoretical and cyber-specific examples to demonstrate the benefits of our more principled approach.
DOI:10.1109/ICMLA.2012.151