Model Generalization and Its Implications on Intrusion Detection

  • Zhuowei Li
  • Amitabha Das
  • Jianying Zhou
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3531)


To make up for the incompleteness of the known behaviors of a computing resource, model generalization is utilized to infer more behaviors in the behavior model besides the known behaviors. In principle, model generalization can improve the detection rate but may also degrade the detection performance. Therefore, the relation between model generalization and detection performance is critical for intrusion detection. However, most of past research only evaluates the overall efficiency of an intrusion detection technique via detection rate and false alarm/positive rate, rather than the usefulness of model generalization for intrusion detection. In this paper, we try to do such evaluation, and then to find the implications of model generalization on intrusion detection. Within our proposed methodology, model generalization can be achieved in three levels. In this paper, we evaluate the first level model generalization. The experimental results show that the first level model generalization is useful mostly to enhance the detection performance of intrusion detection. However, its implications for intrusion detection are different with respect to different detection techniques. Our studies show that in general, though it is useful to generalize the normal behavior model so that more normal behaviors can be identified as such, the same is not advisable for the intrusive behavior model. Therefore, the intrusion signatures should be built compactly without first level generalization.


Security Machine Learning Intrusion Detection Generalization Intrusion Security Infrastructure 


  1. 1.
    Anchor, K.P., Zydallis, J.B., Gunsch, G.H., Lamont, G.B.: Extending the computer defense immune system: Network intrusion detection with a multiobjective evolutionary programming approach. In: ICARIS 2002: 1st International Conference on Artificial Immune Systems Conference Proceedings (2002)Google Scholar
  2. 2.
    Chari, S.N., Cheng, P.: BlueBox: A Policy-Driven, Host-based Intrusion Detection System. ACM Transaction on Infomation and System Security 6(2), 173–200 (2003)CrossRefGoogle Scholar
  3. 3.
    Debar, H., Dacier, M., Wespi, A.: A revised taxonomy for intrusion detection systems. Annales des Telecommunications 55(7-8), 361–378 (2000)Google Scholar
  4. 4.
    Denning, D.E.: An intrusion detection model. IEEE Transaction on Software Engineering SE-13(2), 222–232 (1987)CrossRefGoogle Scholar
  5. 5.
    Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In: Barbara, D., Jajodia, S. (eds.) Applications of Data Mining in Computer Security. Kluwer, Dordrecht (2002)Google Scholar
  6. 6.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)Google Scholar
  7. 7.
    Javits, H., Valdes, A.: The NIDES statistical component: Description and justification. SRI Anual Report A010, SRI International, Computer Science Laboratory (March 1993)Google Scholar
  8. 8.
    Lee, W., Miller, M., Stolfo, S.: Toward cost-sensitive modeling for intrusion detection. Technical Report No. CUCS-002-00, Computer Science,Columbia University (2000)Google Scholar
  9. 9.
    Lee, W., Stolfo, S.J.: A framework for contructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 3(4), 227–261 (2000)CrossRefGoogle Scholar
  10. 10.
    Li, Z., Das, A.: Analyzing and Improving the Performance of a Class of Anomaly-based Intrusion Detectors. In: CoRR cs.CR/0410068 (2004)Google Scholar
  11. 11.
    Li, Z., Das, A., Zhou, J.: Unifying Signature-based and Anomaly-based Intrusion Detection. In: Ho, T.-B., Cheung, D., Liu, H. (eds.) PAKDD 2005. LNCS (LNAI), vol. 3518. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Liao, Y., Vemuri, V.R.: Using text categorization techniques for intrusion detection. In: Usenix: Security (August 2002)Google Scholar
  13. 13.
    Mahoney, M.V., Chan, P.K.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: SIGKDD 2002 (July 23-26, 2002)Google Scholar
  14. 14.
    Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 80–92. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  15. 15.
    Vigna, G., Kemmerer, R.A.: NetSTAT: A Network-based Intrusion Detection System. Journal of Computer Security 7(1), 37–71 (1999)Google Scholar
  16. 16.
    Wang, K., Stolfo, S.J.: Anomalyous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Zhuowei Li
    • 1
    • 2
  • Amitabha Das
    • 1
  • Jianying Zhou
    • 2
  1. 1.School of Computer EngineeringNanyang Technological UniversitySingapore
  2. 2.Institute for Infocomm ResearchSingapore

Personalised recommendations