Case-Based Multi-Sensor Intrusion Detection
Abstract: Multi‐sensor intrusion detection systems (IDSs) combine the alerts raised by individual IDSs and possibly other kinds of devices such as firewalls and antivirus software. A critical issue in building a multi‐sensor IDS is alert‐correlation, i.e., determining which alerts are caused by the same attack. This paper explores a novel approach to alert correlation using case‐based reasoning (CBR). Each case in the CBR system’s library contains a pattern of alerts raised by some known attack type, together with the identity of the attack. Then during run time, the alert streams gleaned from the sensors are compared with the patterns in the cases, and a match indicates that the attack described by that case has occurred. For this purpose the design of a fast and accurate matching algorithm is imperative. Two such algorithms were explored: (i) the well‐known Hungarian algorithm, and (ii) an order‐preserving matching of our own device. Tests were conducted using the DARPA Grand Challenge Problem attack simulator. These showed that the both matching algorithms are effective in detecting attacks; but the Hungarian algorithm is inefficient; whereas the order‐preserving one is very efficient, in fact runs in linear time.
Keywords: information services / air traffic / environmental engineering
Scifeed alert for new publicationsNever miss any articles matching your research from any publisher
- Get alerts for new papers matching your research
- Find out the new papers from selected authors
- Updated daily for 49'000+ journals and 6000+ publishers
- Define your Scifeed now
Click here to see the statistics on "AIP Conference Proceedings" .