Current practice for combating cyber attacks typically use Intrusion Detection Sensors (IDSs) to passively detect and block multi-stage attacks. This work leverages Level-2 fu sion that correlates IDS alerts belonging to the same attacker, and proposes a threat assess ment algorithm to predict potential future attacker actions. The algorithm, TANDI, reduces the problem complexity by separating the models of the attacker's capability and opportu nity, and fuse the two to determine the attacker's intent. Unlike traditional Bayesian-based approaches, which require assigning a large number of edge probabilities, the proposed Level-3 fusion procedure uses only 4 parameters. TANDI has been implemented and tested with randomly created attack sequences. The results demonstrate that TANDI predicts fu ture attack actions accurately as long as the attack is not part of a coordinated attack and contains no insider threats. In the presence of abnormal attack events, TANDI will alarm the network analyst for further analysis. The attempt to evaluate a threat assessment algo rithm via simulation is the first in the literature, and shall open up a new avenue in the area of high level fusion.
Library of Congress Subject Headings
Computer networks--Security measures; Cyberterrorism--Prevention; Computer crimes--Prevention
Computer Engineering (MS)
Department, Program, or Center
Computer Engineering (KGCOE)
Holsopple, Jared D., "TANDI: Threat Assessment of Network Data and Information" (2006). Thesis. Rochester Institute of Technology. Accessed from
RIT – Main Campus