Automatic Extraction and Coordination of Audit Data and Features for Intrusion and Damage Assessment
Abstract
Intrusion and damage assessment is an important step after intrusion detection. The goal of this research is to shorten time of constructing a coherent intrusion trace and assessing the damage through automatic extraction and coordination of audit data and features for intrusion and damage assessment. In this project, we develop the System- Fault-Risk framework to define cause-effect chains of intrusions as intrusion profiles and also classify intrusions. We create a new attack-norm separation approach to developing detection models for building cyber sensors monitoring and identifying intrusion data characteristics at various points along the path of an intrusion cause-effect chain. Mean, autocorrelation and wavelet data characteristics of cyber attack and norm data are discovered to enable the definition of attack data models and norm data models which are in turn used to build detection models for cyber sensors. The testing results the superior performance of detection models based on the attack-norm separation approach to that of detection models based on two conventional approaches of signature recognition and anomaly detection.
Document Details
- Document Type
- Technical Report
- Publication Date
- Mar 31, 2006
- Accession Number
- ADA448069
Entities
People
- Nong Ye
Organizations
- Arizona State University