Bayesian Event Classification for Intrusion DetectionChristopher Kruegel Darren Mutz William Robertson Fredrik ValeurReliable Software GroupUniversity of California, Santa Barbara{chris, dhm, wkr, fredrik}@cs.ucsb.eduAbstractIntrusion detection systems (IDSs) attempt to identify at-tacks by comparing collected data to predefined signaturesknown to be malicious (misuse-based IDSs) or to a modelof legal behavior (anomaly-based IDSs). Anomaly-basedapproaches have the advantage of being able to detect pre-viously unknown attacks, but they suffer from the difficultyof building robust models of acceptable behaviorwhich mayresult in a large number of false alarms. Almost all currentanomaly-based intrusion detection systems classify an in-put event as normal or anomalous by analyzing its features,utilizing a number of different models. A decision for an in-put event is made by aggregating the results of all employedmodels.We have identified two reasons for the large number offalse alarms, caused by incorrect classification of events incurrent systems. One is the simplistic aggregation of modeloutputs in the decision phase. Often, only the sum of themodel results is calculated and compared to a threshold.The other reason is the lack of integration of additionalinformation into the decision process. This additional in-formation can be related to the models, such as the confi-dence in a model’s output, or can be extracted from exter-nal sources. To mitigate these shortcomings, we proposean event classification scheme that is based on Bayesiannetworks. Bayesian networks improve the aggregation ofdifferent model outputs and allow one to seamlessly incor-porate additional information. Experimental results showthat the accuracy of the event classification process is sig-nificantly improved using our proposed approach.1 IntroductionIntrusion detection can be defined as the process of iden-tifying malicious behavior that targets a network and its re-sources. Intrusion detection systems have traditionally beenclassified as either misuse-based or anomaly-based. Sys-tems that use misuse-based techniques contain a number ofattack descriptions, or ‘signatures’, that are matched againsta stream of audit data looking for evidence of the modeledattacks. The audit data can be gathered from the network[18, 25], from the operating system [7, 17], or from appli-cation [23] log files. Signature-based systems have the ad-vantage that they usually generate few false positives (i.e.,incorrectly flagging an event as malicious when it is legiti-mate). Unfortunately, they can only detect those attacks thathave been previously specified. That is, they cannot detectintrusions for which they do not have a defined signature.Anomaly-based techniques follow an approach that iscomplementary with respect to misuse detection. These ap-proaches rely on models, or profiles, of the normal behav-ior of users [4, 8], applications [5, 26] and network traffic[10, 14, 15]. Deviations from the established models areinterpreted as attacks. Anomaly detection systems have theadvantage that they are able to identify previously unknownattacks. By defining an expected, normal state, any abnor-mal behavior can be detected, whether it is part of the threatmodel or not. This capability should make anomaly-basedsystems a preferred choice. However, the advantage of be-ing able to detect previously unknown attacks is usuallypaid for in terms of a large number of false positives. Thiscan make the system unusable by flooding and eventuallydesensitizing the system administrator with large numbersof incorrect alerts.We have identified two main problems that contributeto the large number of false positives. First, the decisionwhether an event should be classified as anomalous or asnormal is made in a simplistic way. Anomaly detectionsystems usually contain a collection of models that eval-uate different features of an event. These models returnan anomaly score or a probability value that reflects the‘normality’ of this event according to their current profiles.However, the system is faced with the task of aggregat-ing the different model outputs into a single, final result.The difficulty is the fact that this aggregation is not easyto perform, especially when the individual model outputsdiffer significantly. In most current systems, the problemis solved by calculating the sum of the outputs and com-paring it to a static threshold. The disadvantage of this ap-proach is the fact that this threshold has to be small enoughto detect malicious events that only manifest themselves ina single anomalous feature (i.e., only one model outputs ahigh value indicating malicious behavior). This can lead tofalse positives, because events with many features that devi-ate slightly from the profile might receive aggregated scoresthat exceed the threshold.The second problem of anomaly-based systems isthat they cannot distinguish between anomalous behaviorcaused by unusual but legitimate actions and activity thatis the manifestation of an attack. This leads to the situa-tion where any deviation from normal behavior is reportedas suspicious, ignoring potential additional information thatmight suggest otherwise. Such additional information canbe external to the system, received from system health mon-itors (e.g., CPU utilization, memory usage, process status)or other intrusion detection sensors. Consider the exampleof an IDS that monitors a web server by analyzing the sys-tem calls that the server process invokes. A sudden jump inCPU utilization and a continuous increase of the memoryal-located by the server process can corroborate the belief thata certain system call contains traces of a denial-of-serviceattack. Additional information can also be directly relatedto the models, such as the confidence in a model output. De-pending on the site-specific structure of input events, certainfeatures might not be suitable to distinguish between legiti-mate and malicious activity. In such a case, the confidencein the output of the model based on these features should bereduced.We propose to mitigate the two problems describedabove by replacing the simple, threshold-based decisionprocess with a Bayesian network. Instead of calculating thesum of individual model outputs and comparing the resultto a threshold, we utilize a Bayesian decision process toclassify input events. This process allows us to seamlesslyincorporate available additional information into the detec-tion