Learning combination of anomaly detectors for security domain

This paper presents a novel technique of finding a convex combination of outputs of anomaly detectors maximizing the accuracy in τ-quantile of most anomalous samples. Such an approach better reflects the needs in the security domain in which subsequent analysis of alarms is costly and can be done on...

Full description

Saved in:
Bibliographic Details
Published in:Computer networks (Amsterdam, Netherlands : 1999) Netherlands : 1999), 2016-10, Vol.107, p.55-63
Main Authors: Grill, Martin, Pevný, Tomáš
Format: Article
Language:English
Subjects:
Accuracy at top
Alarms
Anomalies
Anomaly detection
Comparative analysis
Computer information security
Convex analysis
Cost analysis
Cybersecurity
Detectors
Ensemble systems
Intrusion
Intrusion detection systems
Learning
Network security
Networks
Noise
Positive unlabeled data
Security
Sensors
Studies
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:This paper presents a novel technique of finding a convex combination of outputs of anomaly detectors maximizing the accuracy in τ-quantile of most anomalous samples. Such an approach better reflects the needs in the security domain in which subsequent analysis of alarms is costly and can be done only on a small number of alarms. An extensive experimental evaluation and comparison to prior art on real network data using sets of anomaly detectors of two existing intrusion detection systems shows that the proposed method not only outperforms prior art, it is also more robust to noise in training data labels, which is another important feature for deployment in practice.
ISSN:1389-1286
1872-7069
DOI:10.1016/j.comnet.2016.05.021