A Decision-Theoritic, Semi-Supervised Model for Intrusion Detection

Abstract

In this paper, we develop a model of intrusion detection based on semi-supervised learning. This model attempts to fuse mis-use detection with anomaly detection and to exploit strengths of both. In the process of developing this model, we examine different cost func-tions for the IDS domain and identify two key assumptions that are often implicitly employed in the IDS literature. We demonstrate that relaxing these assumptions requires a decision-theoretic control maker based on the partially observable Markov decision process (POMDP) framework. This insight opens up a novel space of IDS models and allows precise quantification of the computational expense of optimal decision making for specific IDS variants (e.g., additional data sources) and cost func-tions. While decision-making for many POMDPs is formally intractable, recognizing the equivalence of the IDS problem to solution of a POMDP makes available the wide variety of exact and approximate learning tech-niques developed for POMDPs. We demonstrate the performance of the simplest of these models (for which optimal decision-making is tractable) on a previously studied user-level IDS problem, showing that, at the lower limit, our semi-supervised learning model is equivalent to a pure anomaly detection system, but that our model is also capable of ex-ploiting increasing degrees of intermittently labeled data. When such intermittently labeled data is available, our system performs strongly compared to a number of current, pure anomaly detection systems.