Download now Free registration required
It is generally believed that by combining several diverse intrusion detectors (i.e., forming an IDS ensemble), one may achieve better performance. However, there has been very little work on analyzing the effectiveness of an IDS ensemble. This paper studies the following problem: how to make a good fusion decision on the alerts from multiple detectors in order to improve the final performance. The paper proposes a decision-theoretic alert fusion technique based on the Likelihood Ratio Test (LRT). The paper reports the experience from empirical studies, and formally analyzes its practical interpretation based on ROC curve analysis.
- Format: PDF
- Size: 350.9 KB