Reasoning about Complementary Intrusion Evidence

Yan Zhai
North Carolina State Unversity
USA

Peng Ning
North Carolina State Unversity
USA

Purush Iyer
North Carolina State Unversity
USA

Douglas Reeves
North Carolina State Unversity
USA

This paper presents techniques to integrate and reason about
complementary intrusion evidence such as intrusion alerts generated
by intrusion detection systems (IDSs) and reports by system
monitoring or vulnerability scanning tools. To facilitate the
modeling of intrusion evidence, this paper classifies intrusion
evidence into either {\em event-based evidence} or {\em state-based
evidence}. Event-based evidence refers to observations (or detections)
of intrusive {\em actions} (e.g., IDS alerts), while state-based
evidence refers to observations of the {\em effects} of intrusions on
system states. Based on the interdependency between event-based and
state-based evidence, this paper develops techniques to
automatically integrate complementary evidence into Bayesian
networks, and reason about uncertain or unknown intrusion evidence
based on verified evidence. The experimental results in this paper
demonstrate the potential of the proposed techniques. In particular,
additional observations by system monitoring or vulnerability
scanning tools can potentially reduce the false alert rate and
increase the confidence in alerts corresponding to successful
attacks.

Keywords: Alert Correlation, Intrusion Detection

Read Paper Read Paper (in PDF)