Abstract

Current practice for combating cyber attacks typically use Intrusion Detection Sensors (IDSs) to passively detect and block multi-stage attacks. This work leverages Level-2 fu sion that correlates IDS alerts belonging to the same attacker, and proposes a threat assess ment algorithm to predict potential future attacker actions. The algorithm, TANDI, reduces the problem complexity by separating the models of the attacker's capability and opportu nity, and fuse the two to determine the attacker's intent. Unlike traditional Bayesian-based approaches, which require assigning a large number of edge probabilities, the proposed Level-3 fusion procedure uses only 4 parameters. TANDI has been implemented and tested with randomly created attack sequences. The results demonstrate that TANDI predicts fu ture attack actions accurately as long as the attack is not part of a coordinated attack and contains no insider threats. In the presence of abnormal attack events, TANDI will alarm the network analyst for further analysis. The attempt to evaluate a threat assessment algo rithm via simulation is the first in the literature, and shall open up a new avenue in the area of high level fusion.

Library of Congress Subject Headings

Computer networks--Security measures; Cyberterrorism--Prevention; Computer crimes--Prevention

Publication Date

2006

Document Type

Thesis

Student Type

Graduate

Degree Name

Computer Engineering (MS)

Department, Program, or Center

Computer Engineering (KGCOE)

Advisor

Shanchieh Yang

Advisor/Committee Member

Moises Sudit

Advisor/Committee Member

Greg Semeraro

Comments

Physical copy available from RIT's Wallace Library at TK5105.59 .H64 2006

Campus

RIT – Main Campus

Download

Share

COinS