Enhanced Correlation in an Intrusion Detection Process - Computer Network Security

Information Technology Reference

In-Depth Information

is the number of predicates in the pre condition of B .In

other terms ω S ( B ) gives the rate of preconditions in B that can be achieved

using a scenario S .

Similarly, ω S ( O ) gives the ratio of state conditions in intrusion objective O

that can be satisfied in a scenario S , namely:

Where

Pre ( B )

if there exists at least one element in S O

which has a negative influence on O

ω S ( O )=

U ( S O ,O )

|StateCondition ( O ) |

otherwise

5 Weighting Scenarios

This section aims at showing how correlation weights can be used to rank-order

a set of possible scenarios leading to the same intrusion objective.

In the following, to each scenario S =( A 1 ,A 2 , ..., A n ,O ) we associate its

vector of correlation weights ( ω S ( A 1 ) ,ω S ( A 2 ) , ..., ω S ( A n ) ,ω S ( O )). The question

is how to aggregate these weights in order to evaluate the plausibility of a given

scenario and how to compare two weighted scenarios. By g we designate the

aggregation operator.

A first natural aggregation mode is to consider the mean operator, namely:

Mean-based agregation mode:

ω S ( A i )+ ω S ( O )

g ( A 1 , ..., A n ,O )=

i =1

n +1

However this aggregation mode is not desirable since scenarios containing

actions with a null weight are not excluded.

Conjunctive-based agregation mode:

A natural condition that g should satisfy is:

ω S ( A i )=0or ω S ( O ) = 0 then g ( A 1 , ..., A n ,O )=0.

Aggregation functions satisfying this condition are called conjunctive oper-

ators. A weaker form of such operators can be if ω S ( A i )=0or ω S ( O )=0

then scenario S should be among the least plausible ones. The weakest form of

a conjunctive operator would be to say that a scenario S should not be among

the most plausible ones if ω S ( A i )=0or ω S ( O )=0.

An example of aggregation operator which is conjunctive is the minimum

operator, namely:

∃

∈{

1 , .., n

}

Definition 11: A scenario S =( A 1 ,A 2 , ..., A n ,O ) is said to be more plausible

than S =( B 1 ,B 2 , ..., B n ,O )if

min (( ω S ( A 1 ) ,ω S ( A 2 ) , ..., ω S ( A n ) ,ω S ( O ))) >

min(( ω S ( B 1 ) ,ω S ( B 2 ) , ..., ω S ( B n ) ,ω S ( O )))

Computer Network Security

Search WWH ::

Custom Search

Home