A Probabilistic-Based Framework for INFOSEC Alert Correlation

To my dear family: Thank you for all of your love, support and encouragements. iii ACKNOWLEDGEMENTS I would like to express my sincere and deep gratitude to my advisor, Dr. Wenke Lee, for his great support, guidance, patience and encouragement during the past several years. Wenke has not only guided and helped me on my research work, but also taught me important values of life. He can always directly point out my weakness that I need to overcome and also always give me cheers when I have achievedf milestones. The thesis would not have been possible without help of Wenke and many other people. I would also like to thank Dr. for their great help on my research and bringing me the wonderful and enjoyable graduate student life at Tech. I will never forget our discussions on ideas, collaborations on research, travels on conferences and wonderful chats on fun. Special thanks to David Dagon. David is an energetic researcher, also like an elder brother, helping us on everything that he can, patiently, warmly and unselfishly. I believe each of the team members will become a super star in the InfoSec community. iv Symons for mentoring me during my summer internship at HP Labs. Many thanks to Dr. Fengmin Gong at McAfee for being my mentor and bringing me to the information security field during my internship at MCNC. Finally, I would like to dedicate this dissertation to my family: my parents, my wife and my brother. I would never have made it through the whole Ph.D. process without their priceless love, encouragements and support. Special thanks to my wife for her great love, patience and understanding during the past several years. She has shared the hardship that I have endured and enjoyed the success that I have achieved. Thank you, my dear family! v TABLE OF CONTENTS