Sciweavers

ACSAC
2004
IEEE

Reasoning About Complementary Intrusion Evidence

14 years 4 months ago
Reasoning About Complementary Intrusion Evidence
This paper presents techniques to integrate and reason about complementary intrusion evidence such as alerts generated by intrusion detection systems (IDSs) and reports by system monitoring or vulnerability scanning tools. To facilitate the modeling of intrusion evidence, this paper classifies intrusion evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or detections) of intrusive actions (e.g., IDS alerts), while state-based evidence refers to observations of the effects of intrusions on system states. Based on the interdependency between event-based and state-based evidence, this paper develops techniques to automatically integrate complementary evidence into Bayesian networks, and reason about uncertain or unknown intrusion evidence based on verified evidence. The experimental results in this paper demonstrate the potential of the proposed techniques. In particular, additional observations by system monitoring or vulnerab...
Yan Zhai, Peng Ning, Purush Iyer, Douglas S. Reeve
Added 20 Aug 2010
Updated 20 Aug 2010
Type Conference
Year 2004
Where ACSAC
Authors Yan Zhai, Peng Ning, Purush Iyer, Douglas S. Reeves
Comments (0)