Common practice in anomaly-based intrusion detection assumes that one size fits all: a single anomaly detector should detect all anomalies. Compensation for any performance shortcoming is sometimes effected by resorting to correlation techniques, which could be seen as making use of detector diversity. Such diversity is intuitively based on the assumption that detector coverage is different – perhaps widely different – for different detectors, each covering some disparate portion of the anomaly space. Diversity, then, enhances detection coverage by combining the coverages of individual detectors across multiple sub-regions of the anomaly space, resulting in an overall detection coverage that is superior to the coverage of any one detector. No studies have been done, however, in which measured effects of diversity amongst anomaly detectors have been obtained. This paper explores the effects of using diverse anomalydetection algorithms in intrusion detection. Experimental results i...
Kymie M. C. Tan, Roy A. Maxion