本論文已被瀏覽 201 次， [ ] 37 次，[ ] [ ]
Intrusion detection systems (IDSs) are important components of network security. However, it is well known that current IDSs
generate large amount of alerts, including both true and false alerts. Other than proposing new techniques to detect intrusions
without such problems, this thesis presents some work we have done in improving the study of IDS alerts by incorporating other
sources of relevant information. In particular, the work covers four issues.
The first issue is to integrate and reason about IDS alerts as well as reports by system monitoring or vulnerability scanning
tools (discussed in Chapter 3). To facilitate the modeling of intrusion evidence, this approach classifies intrusion
evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or
detections) of intrusive actions (e.g., IDS alerts), while state-based evidence refers to observations of the effects of
intrusions on system states. Based on the interdependency between event-based and state-based evidence, we developed techniques
to automatically integrate complementary evidence into Bayesian networks, and reason about uncertain or unknown intrusion evidence
based on verified evidence.
The second issue is the study of the robustness of the Bayesian analysis framework toward inaccuracies in the assignments of prior
confidence with sensitivity analysis and qualitative analysis (discussed in Chapter 4). By performing
sensitivity analysis and qualitative analysis on the Bayesian networks used to reason about intrusion evidence, we can measure or
approximate individual evidence's influence on the reasoning results. Such study on the framework's robustness properties can
provide guide line for evidence collection and analyses.
The third issue is to improve alert correlation by integrating alert correlation techniques with OS-level object dependency
tracking (discussed in Chapter 5). With the support of more detailed and precise information from OS-level event logs, higher
accuracy in alert correlation can be achieved. The chapter also discusses the application of such integration in making hypotheses
about possibly missed attacks.
The fourth issue is to correlate intrusion alert and other security event information from multiple heterogeneous sources while
protecting the privacy for each participating parties (discussed in Chapter 6). Based on a sanitization scheme utilizing both
generalization and randomization, we proposed several techniques to flexibly balance between the privacy protection and the
analysis capability of the sanitized data. We also studied the various analyses supported by the sharing framework and its
security against some different types of attacks.
Finally, the conclusion of my dissertation is provided and future work is pointed out.