Reasoning About Complementary Intrusion Evidence

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Yan Zhai Articles by Peng Ning Articles by Purush Iyer Articles by Douglas S. Reeves

20th Annual Computer Security Applications Conference (ACSAC'04)

Tucson, Arizona

December 06-December 10

ISBN: 0-7695-2252-1

	ASCII Text	x
	Yan Zhai, Peng Ning, Purush Iyer, Douglas S. Reeves, "Reasoning About Complementary Intrusion Evidence," Computer Security Applications Conference, Annual, pp. 39-48, 20th Annual Computer Security Applications Conference (ACSAC'04), 2004.

	BibTex	x
	@article{ 10.1109/CSAC.2004.29, author = {Yan Zhai and Peng Ning and Purush Iyer and Douglas S. Reeves}, title = {Reasoning About Complementary Intrusion Evidence}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2004}, issn = {1063-9527}, pages = {39-48}, doi = {http://doi.ieeecomputersociety.org/10.1109/CSAC.2004.29}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - Reasoning About Complementary Intrusion Evidence SN - 1063-9527 SP39 EP48 A1 - Yan Zhai, A1 - Peng Ning, A1 - Purush Iyer, A1 - Douglas S. Reeves, PY - 2004 KW - null VL - 0 JA - Computer Security Applications Conference, Annual ER -

Yan Zhai, North Carolina State University, Raleigh, NC

Peng Ning, North Carolina State University, Raleigh, NC

Purush Iyer, North Carolina State University, Raleigh, NC

Douglas S. Reeves, North Carolina State University, Raleigh, NC

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/CSAC.2004.29

This paper presents techniques to integrate and reason about complementary intrusion evidence such as alerts generated by intrusion detection systems (IDSs) and reports by system monitoring or vulnerability scanning tools. To facilitate the modeling of intrusion evidence, this paper classifies intrusion evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or detections) of intrusive actions (e.g., IDS alerts), while state-based evidence refers to observations of the effects of intrusions on system states. Based on the interdependency between event-based and state-based evidence, this paper develops techniques to automatically integrate complementary evidence into Bayesian networks, and reason about uncertain or unknown intrusion evidence based on verified evidence. The experimental results in this paper demonstrate the potential of the proposed techniques. In particular, additional observations by system monitoring or vulnerability scanning tools can potentially reduce the false alert rate and increase the confidence in alerts corresponding to successful attacks.

Citation:

Yan Zhai, Peng Ning, Purush Iyer, Douglas S. Reeves, "Reasoning About Complementary Intrusion Evidence," acsac, pp.39-48, 20th Annual Computer Security Applications Conference (ACSAC'04), 2004

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.