|
Distributed
Zero-Day Attack
Detection
• Overview
• Fact
Sheet • Publications
Fig. 1: Attack
Detection Overview
|
Fusing
Intrusion Data For Detection and Containment. Fusing information from
diverse detectors remains a challenge in the field of intrusion
detection. ORNL applied data fusion techniques to fuse alerts generated
by different detectors that signal the potential presence of an
intrusion. Data fusion has been shown to result in a decrease in false
positives while achieving an improved level of detection. By combining
detections from fusers on distributed hosts, a system can also detect
and track the spread of an intrusion. The advantage of this technique
is that dissimilar and independent detectors of intrusion can be
combined efficiently without increasing false-alarm rates. To relate
the local detection to containment ORNL investigated a mathematical
model to analyze intrusion spreading and throttling effects. The
results suggest that an autonomous response system that reacts at the
local intranet level in under ten seconds can be effective in keeping a
majority of aggressive intrusions from spreading unchecked. However,
when a system-wide alerting mechanism responds in under approximately a
minute, a global infection may be contained even if we relax the local
reaction time constraints.
- M.
Shankar, N. Rao, and S. Batsell. "Fusing Intrusion Data for Detection
and Containment" MILCOM2003,
Boston,
MA, Oct 13-16, 2003 (PDF).
|
