Reasoning about Complementary Intrusion Evidence

Integrating Multiple

ZHAI, YAN. Integrating Multiple Information Resources to Analyze Intrusion Alerts. (Under the direction of Associate Professor Peng Ning). Intrusion detection systems (IDSs) are important components of network security. However, it is well known that current IDSs generate large amount of alerts, including both true and false alerts. Other than proposing new techniques to detect intrusions witho...

Building Attack Scenarios through Integration of Complementary Alert Correlation Method

Several alert correlation methods were proposed in the past several years to construct high-level attack scenarios from low-level intrusion alerts reported by intrusion detection systems (IDSs). These correlation methods have different strengths and limitations; none of them clearly dominate the others. However, all of these methods depend heavily on the underlying IDSs, and perform poorly when...

Correlation of Intrusion Alarms with Subjective Logic

Today, a variety of intrusion detection systems based on a variety of techniques and data sources exists. The alarms generated by these sensors need to be managed efficiently to generate an appropriate amount of alerts. This could be accomplished by fusing alarms from multiple sensors to report an attack only once, correlate alarms to reduce the number of false alarms and aggregate alarms to pr...

A Comprehensive Reasoning Framework for Information Survivability (user Intent Encapsulation and Reasoning about Intrusion: Implementation and Performance Assessment)

Network Forensics Analysis with Evidence Graphs

We develop a prototype network forensics analysis tool that integrates presentation, manipulation and automated reasoning of intrusion evidence. We propose the evidence graph as a novel graph model to facilitate the presentation and manipulation of intrusion evidence. For automated evidence analysis, we develop a hierarchical reasoning framework that includes local reasoning and global reasonin...