Extracting Forensic Explanation from Intrusion Alerts

12 years 3 months ago
Extracting Forensic Explanation from Intrusion Alerts
Since it is desirable for an intrusion detection system to be operated with the real time performance, it is not unusual for an intrusion detection engine to perform a "lazy trigger." In other words, it reports only a partial list of multiple rules matching the attack signature pattern(s). In this research, we assert that the ability of inferring the hidden matching rules from the observed rule(s) is an alternative to leverage on intrusion detection alerts for generating forensic explanation, thus is one step towards bridging intrusion detection with forensic analysis. The objective of this research is to show (i) a probability model discovery approach for enabling such an inference mechanism, and (ii) a probabilistic inference mechanism for generating the most probable forensic explanation based on not only just the observed intrusion detection alerts, but also the unreported signature rules that are revealed in the probability model. Although the proposed approach is not s...
Bon Sy, Negmat Mullodzhanov
Added 30 Oct 2010
Updated 30 Oct 2010
Type Conference
Year 2006
Where DMIN
Authors Bon Sy, Negmat Mullodzhanov
Comments (0)