{"title":"Foundations of intrusion detection (computer security)","authors":"P. Helman, G. Liepins, Wynette Richards","doi":"10.1109/CSFW.1992.236783","DOIUrl":null,"url":null,"abstract":"Computer use is modeled as a mixture of two stochastic processes, normal and misuse. Intrusion detection is formally defined as identifying those transactions generated by the misuse process. Bounds for detection performance are derived in terms of the ratios of the densities of the processes at the individual transactions. It is shown that any optimal intrusion detection system must rank transaction suspicion consistently with these ratios. Sparsity of data requires that transactions be grouped into equivalence classes that preserve the order of the true ratio ranking and reduce the number of singleton and unobserved transactions. Results are described that demonstrate that in general this 'singleton reduction' problem is NP-hard.<<ETX>>","PeriodicalId":350578,"journal":{"name":"[1992] Proceedings The Computer Security Foundations Workshop V","volume":"24 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1992-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"22","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"[1992] Proceedings The Computer Security Foundations Workshop V","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSFW.1992.236783","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 22
Abstract
Computer use is modeled as a mixture of two stochastic processes, normal and misuse. Intrusion detection is formally defined as identifying those transactions generated by the misuse process. Bounds for detection performance are derived in terms of the ratios of the densities of the processes at the individual transactions. It is shown that any optimal intrusion detection system must rank transaction suspicion consistently with these ratios. Sparsity of data requires that transactions be grouped into equivalence classes that preserve the order of the true ratio ranking and reduce the number of singleton and unobserved transactions. Results are described that demonstrate that in general this 'singleton reduction' problem is NP-hard.<>
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
![[1992] Proceedings The Computer Security Foundations Workshop V](/Content/css/sci/img/zetp.jpg)
求助内容:
应助结果提醒方式:
扫码关注我们
