Publication Abstract

Dain, O. M., and Cunningham, R. K. Building Scenarios from a Heterogeneous Alert Stream. IEEE Transactions on Systems, Man and Cybernetics, 2002.

Abstract

We describe a realtime algorithm for combining the alerts produced by several heterogeneous intrusion detection sensors into scenarios. Each scenario represents a sequence of actions performed by a single actor or organization. Our algorithm, which is probabilistic in nature, can determine the scenario membership of a new alert in time proportional to the number of candidate scenarios. It is capable of finding scenarios even if an intruder has used stealthy attack methods such as forged source IP addresses or long latencies between attack components.