System and method for intrusion decision-making in autonomic computing environments

摘要

A mechanism is provided for performing intrusion decision-making using a plurality of approaches. Detection approaches may include, for example, signature-based, anomaly-based, scan-based, and danger theory approaches. When event information is received, each approach produces a result. A consensus of each result is then reached by using, for example, Bayesian Filtering. A corpus is kept for each approach. An intrusion corpus keeps combinations of the corpora for all of the approaches that constitute intrusions. A safe corpus keeps combinations of the corpora for all of the approaches that do not constitute an intrusion. The corpora for the approaches may be pre-defined according to security policies and the like. The intrusion corpus and the safe corpus may be trained using scores that are determined using the detection approaches.