Handling uncertainty in intrusion analysis

K-REx Repository

Show simple item record

dc.contributor.author Zomlot, Loai M. M.
dc.date.accessioned 2014-04-28T14:32:09Z
dc.date.available 2014-04-28T14:32:09Z
dc.date.issued 2014-04-28
dc.identifier.uri http://hdl.handle.net/2097/17603
dc.description.abstract Intrusion analysis, i.e., the process of combing through Intrusion Detection System (IDS) alerts and audit logs to identify true successful and attempted attacks, remains a difficult problem in practical network security defense. The primary cause of this problem is the high false positive rate in IDS system sensors used to detect malicious activity. This high false positive rate is attributed to an inability to differentiate nearly certain attacks from those that are merely possible. This inefficacy has created high uncertainty in intrusion analysis and consequently causing an overwhelming amount of work for security analysts. As a solution, practitioners typically resort to a specific IDS-rules set that precisely captures specific attacks. However, this results in failure to discern other forms of the targeted attack because an attack’s polymorphism reflects human intelligence. Alternatively, the addition of generic rules so that an activity with remote indication of an attack will trigger an alert, requires the security analyst to discern true alerts from a multitude of false alerts, thus perpetuating the original problem. The perpetuity of this trade-off issue is a dilemma that has puzzled the cyber-security community for years. A solution to this dilemma includes reducing uncertainty in intrusion analysis by making IDS-nearly-certain alerts prominently discernible. Therefore, I propose alerts prioritization, which can be attained by integrating multiple methods. I use IDS alerts correlation by building attack scenarios in a ground-up manner. In addition, I use Dempster-Shafer Theory (DST), a non-traditional theory to quantify uncertainty, and I propose a new method for fusing non-independent alerts in an attack scenario. Finally, I propose usage of semi-supervised learning to capture an organization’s contextual knowledge, consequently improving prioritization. Evaluation of these approaches was conducted using multiple datasets. Evaluation results strongly indicate that the ranking provided by the approaches gives good prioritization of IDS alerts based on their likelihood of indicating true attacks. en_US
dc.language.iso en_US en_US
dc.publisher Kansas State University en
dc.subject Enterprise network security en_US
dc.subject Intrusion detection and analysis en_US
dc.subject Machine learning en_US
dc.subject Reason about uncertainty en_US
dc.subject Dempster-Shafer Theory en_US
dc.title Handling uncertainty in intrusion analysis en_US
dc.type Dissertation en_US
dc.description.degree Doctor of Philosophy en_US
dc.description.level Doctoral en_US
dc.description.department Department of Computing and Information Sciences en_US
dc.description.advisor Xinming Ou en_US
dc.subject.umi Computer Science (0984) en_US
dc.date.published 2014 en_US
dc.date.graduationmonth May en_US

Files in this item

This item appears in the following Collection(s)

Show simple item record

Search K-REx

Advanced Search


My Account


Center for the

Advancement of Digital