Prioritizing intrusion analysis using Dempster-Shafer theory
作者: Loai Zomlot , Sathya Chandran Sundaramurthy , Kui Luo , Xinming Ou , S. Raj Rajagopalan
关键词:
摘要: Intrusion analysis and incident management remains a difficult problem in practical network security defense. The root cause of this is the large rate false positives sensors used by Detection System (IDS) systems, reducing value alerts to an administrator. Standard Bayesian theory has not been effective regard because lack good prior knowledge. This paper presents approach handling such uncertainty without need for information, through Dempster-Shafer (DS) theory. We address number but fundamental issues applying DS intrusion analysis, including how model sensors' trustworthiness, where obtain parameters, independence among alerts. present efficient algorithm carrying out belief calculation on IDS alert correlation graph, so that one can compute score given hypothesis, e.g. specific machine compromised. strength be sort incident-related hypotheses prioritize further human analyst associated evidence. have implemented our open-source system Snort evaluated its effectiveness data sets as well production network. resulting scores were verified both anecdotal experience comparing rankings with ground truths provided we evaluation, showing thereby mitigating high positive analysis.
acm.org
sci-hub.se 参考文章(33)
James C. Bezdek, Fip, Analysis of fuzzy information CRC Press. ,(1987)
Yan Zhai, Peng Ning, P. Iyer, D.S. Reeves, Reasoning about complementary intrusion evidence annual computer security applications conference. pp. 39- 48 ,(2004) , 10.1109/CSAC.2004.29
S. Noel, E. Robertson, S. Jajodia, Correlating intrusion events and building attack scenarios through attack graph distances annual computer security applications conference. pp. 350- 359 ,(2004) , 10.1109/CSAC.2004.11
Joseph Y. Halpern, Reasoning about Uncertainty ,(2003)
Reuben Smith, Nathalie Japkowicz, Maxwell Dondo, Peter Mason, Using unsupervised learning for network alert correlation Canadian AI'08 Proceedings of the Canadian Society for computational studies of intelligence, 21st conference on Advances in artificial intelligence. pp. 308- 319 ,(2008) , 10.1007/978-3-540-68825-9_29
Gaspar Modelo-Howard, Saurabh Bagchi, Guy Lebanon, Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling recent advances in intrusion detection. pp. 271- 290 ,(2008) , 10.1007/978-3-540-87403-4_15
Matthew V. Mahoney, Philip K. Chan, An analysis of the 1999 DARPA/lincoln Laboratory evaluation data for network anomaly detection recent advances in intrusion detection. pp. 220- 237 ,(2003) , 10.1007/978-3-540-45248-5_13
KARI SENTZ, SCOTT FERSON, Combination of Evidence in Dempster-Shafer Theory Other Information: PBD: 1 Apr 2002. ,(2002) , 10.2172/800792
Finn B. Jensen, Thomas Graven-Nielsen, Bayesian networks and decision graphs ,(2001)
Colin Howson, Theories of Probability The British Journal for the Philosophy of Science. ,vol. 46, pp. 1- 32 ,(1995) , 10.1093/BJPS/46.1.1