DocumentCode :
3219451
Title :
Information modeling for intrusion report aggregation
Author :
Goldman, Robert P. ; Heimerdinger, Walter ; Harp, Steven A. ; Geib, Christopher W. ; Thomas, Vicraj ; Carter, Robert L.
Author_Institution :
Honeywell Labs, Minneapolis, MN, USA
Volume :
1
fYear :
2001
fDate :
2001
Firstpage :
329
Abstract :
The paper describes the SCYLLARUS approach to fusing reports from multiple intrusion detection systems (ID-Ses) to provide an overall approach to intrusion situation awareness. The overall view provided by SCYLLARUS centers around the site´s security goals, aggregating large numbers of individual IDS reports based on their impact. The overall view reduces information overload by aggregating multiple IDS reports in a rep-down view; and by reducing false positives by weighing evidence provided by multiple ID-Ses and other information sources. Unlike previous efforts in this area, SCYLLARUS is centered around its intrusion reference model (IRM). The SCYLLARUS IRM contains both dynamic and static (configuration) information. A network entity/relationship database (NERD), providing information about the site´s hardware and software; a security goal database, describing the site´s objectives and security policy; and an event dictionary, describing important events, both intrusions and benign; comprise the static portion of the IRM. The set of IDS reports; the events SCYLLARUS hypothesizes to explain them; and the resulting judgment of the state of site security goals comprise the dynamic part of the IRM
Keywords :
entity-relationship modelling; relational databases; security of data; SCYLLARUS approach; dynamic information; event dictionary; hardware; information modeling; information sources; intrusion reference model; intrusion report aggregation; intrusion situation awareness; multiple intrusion detection systems; network entity/relationship database; report fusion; security goal database; security goals; software; static information; Costs; Data security; Databases; Dictionaries; Hardware; Information security; Intrusion detection; Laboratories; Prototypes; Sensor systems;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings
Conference_Location :
Anaheim, CA
Print_ISBN :
0-7695-1212-7
Type :
conf
DOI :
10.1109/DISCEX.2001.932228
Filename :
932228
Link To Document :
بازگشت