Adaptive, Model-Based Monitoring and Threat Detection

Abstract

We explore the suitability of model-based probabilistic techniques, such as Bayes networks, to the field of intrusion detection and alert report correlation. We describe a network intrusion detection system (IDS) using Bayes inference, wherein the knowledge base is encoded not as rules but as conditional probability relations between observables and hypotheses of normal and malicious usage. The same high-performance Bayes inference library was employed in a component of the Mission-Based Correlation effort, using an initial knowledge base that adaptively learns the security administrator's preference for alert priority and rank. Another major effort demonstrated probabilistic techniques in heterogeneous sensor correlation. We provide results for simulated attack data, live traffic, and the CyberPanel Grand Challenge Problem. Our results establish that model-based probabilistic techniques are an important complementary capability to signature-based methods in detection and correlation.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Sep 01, 2002
Accession Number
ADA406875

Entities

People

  • Alfonso Valdes
  • Keith Skinner

Organizations

  • SRI International

Tags

Communities of Interest

  • Cyber
  • Sensors

DTIC Thesaurus Topics

  • Air Force Research Laboratories
  • Anomaly Detection
  • Change Detection
  • Computational Science
  • Computer Networks
  • Data Sets
  • Denial Of Service Attack
  • Detection
  • Detectors
  • Failure Mode And Effect Analysis
  • Intrusion
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Probability
  • Security
  • Warning Systems

Fields of Study

  • Computer science

Readers

  • Artificial Intelligence
  • Cybersecurity.
  • Systems Analysis and Design

Technology Areas

  • AI & ML
  • AI & ML - Bayesian Inference