Sciweavers

NSPW
2004
ACM

The role of suspicion in model-based intrusion detection

14 years 5 months ago
The role of suspicion in model-based intrusion detection
We argue in favor of the explicit inclusion of suspicion as a concrete concept to be used in the analysis of audit data in order to guide the search for evidence of misuse. Our approach is similar to that of a human forensic analyst, who first notices details that seem slightly odd, and then investigates further and cross checks information in an attempt to build a coherent explanation for the observed details. We use deductive reasoning combined with expert knowledge about system behavior, potential attacks and evidence, and patterns of suspicion to link individual clues together in an automated way. A prototype implementation that was designed based on these considerations is presented, including details of how suspicions and deductions are represented, and how these structures are updated as new evidence is discovered. Finally, we describe how this algorithm performs in practice on a realistic example where five discrete pieces of evidence are brought together automatically to crea...
Timothy Hollebeek, Rand Waltzman
Added 30 Jun 2010
Updated 30 Jun 2010
Type Conference
Year 2004
Where NSPW
Authors Timothy Hollebeek, Rand Waltzman
Comments (0)