Title :
Reasoning about complementary intrusion evidence
Author :
Zhai, Yan ; Ning, Peng ; Iyer, Purush ; Reeves, Douglas S.
Author_Institution :
Dept. of Comput. Sci., North Carolina State Univ., Raleigh, NC, USA
Abstract :
This paper presents techniques to integrate and reason about complementary intrusion evidence such as alerts generated by intrusion detection systems (IDSs) and reports by system monitoring or vulnerability scanning tools. To facilitate the modeling of intrusion evidence, this paper classifies intrusion evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or detections) of intrusive actions (e.g., IDS alerts), while state-based evidence refers to observations of the effects of intrusions on system states. Based on the interdependency between event-based and state-based evidence, this paper develops techniques to automatically integrate complementary evidence into Bayesian networks, and reason about uncertain or unknown intrusion evidence based on verified evidence. The experimental results in this paper demonstrate the potential of the proposed techniques. In particular, additional observations by system monitoring or vulnerability scanning tools can potentially reduce the false alert rate and increase the confidence in alerts corresponding to successful attacks.
Keywords :
belief networks; inference mechanisms; security of data; system monitoring; Bayesian networks; complementary intrusion evidence; event-based evidence; intrusion detection system; state-based evidence; system monitoring; vulnerability scanning tools; Bayesian methods; Computer science; Computerized monitoring; Correlation; Humans; Information analysis; Intrusion detection; Laboratories; Performance analysis; Software tools;
Conference_Titel :
Computer Security Applications Conference, 2004. 20th Annual
Print_ISBN :
0-7695-2252-1
DOI :
10.1109/CSAC.2004.29
