A diagnosis based intrusion detection approach

We describe preliminary work on a novel detection approach, which we call diagnosis-enabled intrusion detection (DEID), which takes a stream of evidence from multiple sources, aggregates the evidence and uses it to arrive at the “best” explanation for the observed activity. This approach requires the solution of four key scientific challenges: (i) a theory and algorithms for monitor placement that covers all system layers to prevent attackers from evading detection even when launching zero-day attacks; (ii) evidence collection for producing useful aggregated evidence from system actions in real-time without adversely affecting the mission; (iii) a theory of diagnosis detection for filtering and correlating evidence to test hypotheses regarding mission impact, producing both diagnoses and explanations of their causes; and (iv) diagnosis presentation for conveying explanations to domain experts to produce new knowledge to act on previously-unknown attacks effectively and to respond effectively to identified attacks that preserve mission requirements.