A unified alert fusion model for intelligent analysis of sensor data in an intrusion detection environment.

摘要

The need for higher-level reasoning capabilities beyond low-level sensor abilities has prompted researchers to use different types of sensor fusion techniques for better situational awareness in the intrusion detection environment. These techniques primarily vary in terms of their mission objectives. Some prioritize alerts for alert reduction, some cluster alerts to identify common attack patterns, and some correlate alerts to identify multi-staged attacks. Each of these tasks has its own merits. Unlike previous efforts in this area, this dissertation combines the primary tasks of sensor alert fusion, i.e., alert prioritization, alert clustering and alert correlation into a single framework such that individual results are used to quantify a confidence score as an overall assessment for global diagnosis of a system's security health. Such a framework is especially useful in a multi-sensor environment where the sensors can collaborate with or complement each other to provide increased reliability, making it essential that the outputs of the sensors are fused in an effective manner in order to provide an improved understanding of the security status of the protected resources in the distributed environment.; This dissertation uses a possibilistic approach in intelligent fusion of sensor alerts with Fuzzy Cognitive Modeling in order to accommodate the impreciseness and vagueness in knowledge-based reasoning. We show that our unified architecture for sensor fusion provides better insight into the security health of systems. A new multilevel alert clustering method is developed to accommodate inexact matching in alert features and is shown to provide relevance to more alerts than traditional exact clustering. Alert correlation with a new abstract incident modeling technique is shown to deal with scalability and uncertainty issues present in traditional alert correlation. New concepts of dynamic fusion are presented for overall situation assessment, which (a) in case of misuse sensors, combines results of alert clustering and alert correlation, and (b) in case of anomaly sensors, corroborates evidence from primary and secondary sensors for deriving the final conclusion on the systems' security health.