Recent Advances in Intrusion Detection

Volume 5230 of the series Lecture Notes in Computer Science pp 271-290

Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling

  • Gaspar Modelo-HowardAffiliated withSchool of Electrical and Computer Engineering, Purdue University
  • , Saurabh BagchiAffiliated withSchool of Electrical and Computer Engineering, Purdue University
  • , Guy LebanonAffiliated withSchool of Electrical and Computer Engineering, Purdue University

* Final gross prices may vary according to local VAT.

Get Access


To secure today’s computer systems, it is critical to have different intrusion detection sensors embedded in them. The complexity of distributed computer systems makes it difficult to determine the appropriate configuration of these detectors, i.e., their choice and placement. In this paper, we describe a method to evaluate the effect of the detector configuration on the accuracy and precision of determining security goals in the system. For this, we develop a Bayesian network model for the distributed system, from an attack graph representation of multi-stage attacks in the system. We use Bayesian inference to solve the problem of determining the likelihood that an attack goal has been achieved, given a certain set of detector alerts. We quantify the overall detection performance in the system for different detector settings, namely, choice and placement of the detectors, their quality, and levels of uncertainty of adversarial behavior. These observations lead us to a greedy algorithm for determining the optimal detector settings in a large-scale distributed system. We present the results of experiments on Bayesian networks representing two real distributed systems and real attacks on them.


Intrusion detection detector placement Bayesian networks attack graph