Alert Fusion for a Computer Host Based Intrusion Detection System

• Published in: Engineering of computer-based systems : ECBS 2007 proceedings : raising expectations of computer-based systems : 14th Annual IEEE International Conference and Workshops on the Engineering of Computer-Based Systems : March 26-29, 2007, Tucson, Arizona pp. 433 - 440
• Main Authors: Chuan Feng, Jianfeng Peng, Haiyan Qiao, Rozenblit, J.W.
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.03.2007
• Subjects: Access control; Authentication; Computer architecture; Computer performance; Data security; Engines; Expert systems; Information security; Intrusion detection; Protection
• ISBN: 9780769527727; 0769527728
• DOI: 10.1109/ECBS.2007.17

Intrusions impose tremendous threats to today's computer hosts. Intrusions using security breaches to achieve unauthorized access or misuse of critical information can have catastrophic consequences. To protect computer hosts from the increasing threat of intrusion, various kinds of intrusion detection systems (IDSs) have been developed. The main disadvantages of current IDSs are a high false detection rate and the lack of post-intrusion decision support capability. To minimize these drawbacks, we propose an event-driven intrusion detection architecture which integrates subject-verb-object (SVO) multi-point monitors and an impact analysis engine. Alert fusion and verification models are implemented to provide more reasonable intrusion information from incomplete, inconsistent or imprecise alerts acquired by SVO monitors. DEVS formalism is used to describe the model based design approach. Finally we use the DEVS-JAVA simulation tool to show the feasibility of the proposed system