A Bayesian paradigm for designing intrusion detection systems

This article describes a model based approach to designing network intrusion detection systems. The article considers general methods applicable to many di%erent types of networks, using speci'c algorithms as examples. The central theme is that latent variable hierarchical models constructed using Bayesian methods lead to coherent systems that can handle the complex distributions involved with network tra)c. Bayes’ rule provides a means of combining competing intrusion detection methods such as anomaly detection and pattern recognition. Bayesian methods present evidence of intrusion as probabilities, which are easy for human fraud investigators to interpret. Hierarchical models allow transactions to communicate information about possible intrusions across time and accounts. These hierarchical models contain a transaction level model describing how well individual network transactions 't user and intruder pro'les, an account level model parameterizing bursts associated with network intrusion, and a network-level model that adjusts account level model parameters when an intrusion on one or more account is suspected. c © 2003 Elsevier B.V. All rights reserved.