Towards an Information-Theoretic Framework for Analyzing Intrusion Detection Systems

  • Guofei Gu
  • Prahlad Fogla
  • David Dagon
  • Wenke Lee
  • Boris Skoric
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4189)


IDS research still needs to strengthen mathematical foundations and theoretic guidelines. In this paper, we build a formal framework, based on information theory, for analyzing and quantifying the effectiveness of an IDS. We firstly present a formal IDS model, then analyze it following an information-theoretic approach. Thus, we propose a set of information-theoretic metrics that can quantitatively measure the effectiveness of an IDS in terms of feature representation capability, classification information loss, and overall intrusion detection capability. We establish a link to relate these metrics, and prove a fundamental upper bound on the intrusion detection capability of an IDS. Our framework is a practical theory which is data trace driven and evaluation oriented in this area. In addition to grounding IDS research on a mathematical theory for formal study, this framework provides practical guidelines for IDS fine-tuning, evaluation and design, that is, the provided set of metrics greatly facilitates a static/dynamic fine-tuning of an IDS to achieve optimal operation and a fine-grained means to evaluate IDS performance and improve IDS design. We conduct experiments to demonstrate the utility of our framework in practice.


Mutual Information Intrusion Detection Information Loss Intrusion Detection System Feature Representation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kdd cup 1999 data (2006), Available at:
  2. 2.
    Amor, N.B., Benferhat, S., Elouedi, Z.: Naive bayes vs decision trees in intrusion detection systems. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357. Springer, Heidelberg (2004)Google Scholar
  3. 3.
    Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: Proceedings of ACM CCS 1999 (November 1999)Google Scholar
  4. 4.
    Axelsson, S.: A preliminary attempt to apply detection and estimation theory to intrusion detection. Technical Report 00-4, Dept. of Computer Engineering, Chalmers Univerity of Technology, Sweden (March 2000)Google Scholar
  5. 5.
    Cardenas, A., Seamon, K., Baras, J.: A Framework for the Evaluation of Intrusion Detection Systems. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, California (May 2006)Google Scholar
  6. 6.
    Cover, T., Thomas, J.: Elements of Information Theory. John Wiley, Chichester (1991)CrossRefMATHGoogle Scholar
  7. 7.
    Di Crescenzo, G., Ghosh, A., Talpade, R.: Towards a theory of intrusion detection. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 267–286. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Debar, H., Dacier, M., Wespi, A.: Towards a taxonomy of intrusion-detection systems. Computer Networks 31(8), 805–822 (1999)CrossRefGoogle Scholar
  9. 9.
    Denning, D.: An intrusion-detection model. IEEE Transactions on Software Engineering 2 (February 1987)Google Scholar
  10. 10.
    Gu, G., Fogla, P., Dagon, D., Lee, W., Skoric, B.: Measuring intrusion detection capability: An information-theoretic approach. In: Proceedings of ACM Symposium on InformAction, Computer and Communications Security (ASIACCS 2006) (March 2006)Google Scholar
  11. 11.
    Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: Proc. USENIX Security Symposium 2001 (2001)Google Scholar
  12. 12.
    Helman, P., Liepins, G.: Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering 19(9) (September 1993)Google Scholar
  13. 13.
    Hu, W., Liao, Y., Vemuri, V.R.: Robust support vector machines for anomaly detection in computer security. In: Proc. 2003 International Conference on Machine Learning and Applications (ICMLA 2003) (2003)Google Scholar
  14. 14.
    Kim, H.-A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: USENIX Security Symposium, pp. 271–286 (2004)Google Scholar
  15. 15.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: SIGCOMM 2005 (2005)Google Scholar
  16. 16.
    Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (May 2001)Google Scholar
  17. 17.
    Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security (TISSEC) 3(4), 227–261 (2000)CrossRefGoogle Scholar
  18. 18.
    Massachusetts Institute of Technology Lincoln Laboratory. 1998 darpa intrusion detection evaluation data set overview (2005),
  19. 19.
    Lunt, T.F.: Panel:foundations for intrusion detection. In: Proc. 13th Computer Security Foundations Workshop (CSFW 2000) (2000)Google Scholar
  20. 20.
    McHugh, J.: Testing intrusion detection systems: A critique of the 1998 and 1999 darpa off-line intrusion detection system evaluation as performed by lincoln laboratory. ACM Transactions on Information and System Security 3(4) (November 2000)Google Scholar
  21. 21.
    Mitchell, T.: Machine Learning. McGraw-Hill, New York (1997)MATHGoogle Scholar
  22. 22.
    Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE S&P 2005 (2005)Google Scholar
  23. 23.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23–24), 2435–2463 (1999)CrossRefGoogle Scholar
  24. 24.
    Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks Inc. (January 1998)Google Scholar
  25. 25.
    Puketza, N.J., Zhang, K., Chung, M., Mukherjee, B., Olsson, R.A.: A methodology for testing intrusion detection systems. IEEE Transactions on Software Engineering 22(10), 719–729 (1996)CrossRefGoogle Scholar
  26. 26.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of USENIX LISA 1999 (1999)Google Scholar
  27. 27.
    Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: CCS 2003 (2003)Google Scholar
  28. 28.
    Song, T., Ko, C., Alves-Foss, J., Zhang, C., Levitt, K.N.: Formal reasoning about intrusion detection systems. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 278–295. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  29. 29.
    Nikto, S. (2006), Available at:
  30. 30.
    Vapnik, V.N.: The Nature of Statistical Learning Theory. Springer, Heidelberg (1995)MATHGoogle Scholar
  31. 31.
    Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Guofei Gu
    • 1
  • Prahlad Fogla
    • 1
  • David Dagon
    • 1
  • Wenke Lee
    • 1
  • Boris Skoric
    • 2
  1. 1.Georgia Institute of TechnologyUSA
  2. 2.Philips Research LaboratoriesNetherlands

Personalised recommendations