Integrating intrusion alert information to aid forensic explanation: An analytical intrusion detection framework for distributive IDS

Authors:
Bon K. Sy
Affiliations:
Queens College, Computer Science Department, 65-30 Kissena Blvd., Flushing, NY 11367, USA and Graduate Center/CUNY, Computer Science Department, 365 Fifth Ave., New York, NY 10016, USA
Venue:
Information Fusion
Year:
2009

Citing 13
Cited 3

Numerical recipes in C (2nd ed.): the art of scientific computing

Numerical recipes in C (2nd ed.): the art of scientific computing
Secure audit logs to support computer forensics

ACM Transactions on Information and System Security (TISSEC)
The base-rate fallacy and its implications for the difficulty of intrusion detection

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Data mining: concepts and techniques

Data mining: concepts and techniques
Scientific Computing: An Introductory Survey

Scientific Computing: An Introductory Survey
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Pattern Classification (2nd Edition)

Pattern Classification (2nd Edition)
Information-Statistical Data Mining: Warehouse Integration With Examples of Oracle Basics (The Kluwer International Series in Engineering and Computer Science, 757)

Information-Statistical Data Mining: Warehouse Integration With Examples of Oracle Basics (The Kluwer International Series in Engineering and Computer Science, 757)
A behavioral approach to worm detection

Proceedings of the 2004 ACM workshop on Rapid malcode
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Backtracking intrusions

ACM Transactions on Computer Systems (TOCS)
Forensix: A Robust, High-Performance Reconstruction System

ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
Toward Models for Forensic Analysis

SADFE '07 Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering

Network forensics based on fuzzy logic and expert system

Computer Communications
Early warning system for cascading effect control in energy control systems

CRITIS'10 Proceedings of the 5th international conference on Critical Information Infrastructures Security
Review: An intrusion detection and prevention system in cloud computing: A systematic review

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

The objective of this research is to show an analytical intrusion detection framework (AIDF) comprised of (i) a probability model discovery approach, and (ii) a probabilistic inference mechanism for generating the most probable forensic explanation based on not only just the observed intrusion detection alerts, but also the unreported signature rules that are revealed in the probability model. The significance of the proposed probabilistic inference is its ability to integrate alert information available from IDS sensors distributed across subnets. We choose the open source Snort to illustrate its feasibility, and demonstrate the inference process applied to the intrusion detection alerts produced by Snort. Through a preliminary experimental study, we illustrate the applicability of AIDF for information integration and the realization of (i) a distributive IDS environment comprised of multiple sensors, and (ii) a mechanism for selecting and integrating the probabilistic inference results from multiple models for composing the most probable forensic explanation.