Show simple item record

dc.contributor.supervisorFurnell, Steven
dc.contributor.authorTucker, Christopher John
dc.contributor.otherSchool of Engineering, Computing and Mathematicsen_US
dc.date.accessioned2013-06-21T08:09:03Z
dc.date.available2013-06-21T08:09:03Z
dc.date.issued2013
dc.identifier303887en_US
dc.identifier.urihttp://hdl.handle.net/10026.1/1547
dc.description.abstract

Intrusion systems have been the subject of considerable research during the past 33 years, since the original work of Anderson. Much has been published attempting to improve their performance using advanced data processing techniques including neural nets, statistical pattern recognition and genetic algorithms. Whilst some significant improvements have been achieved they are often the result of assumptions that are difficult to justify and comparing performance between different research groups is difficult. The thesis develops a new approach to defining performance focussed on comparing intrusion systems and technologies. A new taxonomy is proposed in which the type of output and the data scale over which an intrusion system operates is used for classification. The inconsistencies and inadequacies of existing definitions of detection are examined and five new intrusion levels are proposed from analogy with other detection-based technologies. These levels are known as detection, recognition, identification, confirmation and prosecution, each representing an increase in the information output from, and functionality of, the intrusion system. These levels are contrasted over four physical data scales, from application/host through to enterprise networks, introducing and developing the concept of a footprint as a pictorial representation of the scope of an intrusion system. An intrusion is now defined as “an activity that leads to the violation of the security policy of a computer system”. Five different intrusion technologies are illustrated using the footprint with current challenges also shown to stimulate further research. Integrity in the presence of mixed trust data streams at the highest intrusion level is identified as particularly challenging. Two metrics new to intrusion systems are defined to quantify performance and further aid comparison. Sensitivity is introduced to define basic detectability of an attack in terms of a single parameter, rather than the usual four currently in use. Selectivity is used to describe the ability of an intrusion system to discriminate between attack types. These metrics are quantified experimentally for network intrusion using the DARPA 1999 dataset and SNORT. Only nine of the 58 attack types present were detected with sensitivities in excess of 12dB indicating that detection performance of the attack types present in this dataset remains a challenge. The measured selectivity was also poor indicting that only three of the attack types could be confidently distinguished. The highest value of selectivity was 3.52, significantly lower than the theoretical limit of 5.83 for the evaluated system. Options for improving selectivity and sensitivity through additional measurements are examined.

en_US
dc.description.sponsorshipStochastic Systems Ltden_US
dc.language.isoenen_US
dc.publisherUniversity of Plymouthen_US
dc.subjectNetwork Intrusion Detectionen_US
dc.subjectPerformance Metricsen_US
dc.subjectDARPA 1999en_US
dc.subjectSensitivityen_US
dc.subjectSelectivityen_US
dc.titlePerformance Metrics for Network Intrusion Systemsen_US
dc.typeThesis
plymouth.versionFull versionen_US
dc.identifier.doihttp://dx.doi.org/10.24382/4315


Files in this item

Thumbnail
Thumbnail

This item appears in the following Collection(s)

Show simple item record


All items in PEARL are protected by copyright law.
Author manuscripts deposited to comply with open access mandates are made available in accordance with publisher policies. Please cite only the published version using the details provided on the item record or document. In the absence of an open licence (e.g. Creative Commons), permissions for further reuse of content should be sought from the publisher or author.
Theme by 
Atmire NV