Applying Decision Tree and Bayesian Theorems to Intrusion Detector Evaluation

1. Applying Decision Tree and Bayesian Theorems to Intrusion Detector Evaluation By Wei Li

2. Problem Description • An intrusion detector provides whether an intrusion is being attempted • Different approaches have been used • A intrusion detector can be tuned to meet the operating environment • How to measure a detector’s performance • Receiver operating characteristic (ROC) curve, which is a plot of detection probability versus false alarm rate • Cost metrics • Damage • Challenge • Operational • Decision tree approach

3. How Can Decision Tree and Bayesian Theorems Be Applied to Intrusion Detector Evaluation • A detector is evaluated by its cost • Responding as though there were an intrusion when there is none: Cα • Failing to respond to an intrusion: Cβ • A decision tree describe the operation of the detector and of the actions/responses that can be taken • Nodes are actions/uncertain events • Each uncertain event is its probability of occurrence • Using Bayesian theorem • Paths are consequences of combinations of actions and events • Costs correspond to these consequences

4. Evaluation Process • Procedure to follow • Costs are accessed for all paths through the decision tree and all probabilities are calculated • The expected cost is determined for event nodes by taking the sum of products of probabilities and costs for all of the node’s branches • This procedure is repeated until all expected values are determined for all nodes • Finally the operating point (choosing the point with the least operation cost) is chosen and different detectors are compared • What should we do • Repeat the experiments • Comparing results with those got from ROC curves • Refine the model