Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
NSPW
2004
ACM
2004
ACM
The role of suspicion in model-based intrusion detection
We argue in favor of the explicit inclusion of suspicion as a concrete concept to be used in the analysis of audit data in order to guide the search for evidence of misuse. Our approach is similar to that of a human forensic analyst, who first notices details that seem slightly odd, and then investigates further and cross checks information in an attempt to build a coherent explanation for the observed details. We use deductive reasoning combined with expert knowledge about system behavior, potential attacks and evidence, and patterns of suspicion to link individual clues together in an automated way. A prototype implementation that was designed based on these considerations is presented, including details of how suspicions and deductions are represented, and how these structures are updated as new evidence is discovered. Finally, we describe how this algorithm performs in practice on a realistic example where five discrete pieces of evidence are brought together automatically to crea...
Real-time Traffic| Added | 30 Jun 2010 |
| Updated | 30 Jun 2010 |
| Type | Conference |
| Year | 2004 |
| Where | NSPW |
| Authors | Timothy Hollebeek, Rand Waltzman |
Comments (0)
Researcher Info
|
