TY - GEN
T1 - A diagnosis based intrusion detection approach
AU - Jackson, Conner
AU - Levitt, Karl
AU - Rowe, Jeff
AU - Krishnamurthy, Srikanth
AU - Jaeger, Trent
AU - Swami, Ananthram
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/12/14
Y1 - 2015/12/14
N2 - We describe preliminary work on a novel detection approach, which we call diagnosis-enabled intrusion detection (DEID), which takes a stream of evidence from multiple sources, aggregates the evidence and uses it to arrive at the best explanation for the observed activity. This approach requires the solution of four key scientific challenges: (i) a theory and algorithms for monitor placement that covers all system layers to prevent attackers from evading detection even when launching zero-day attacks; (ii) evidence collection for producing useful aggregated evidence from system actions in real-time without adversely affecting the mission; (iii) a theory of diagnosis detection for filtering and correlating evidence to test hypotheses regarding mission impact, producing both diagnoses and explanations of their causes; and (iv) diagnosis presentation for conveying explanations to domain experts to produce new knowledge to act on previously-unknown attacks effectively and to respond effectively to identified attacks that preserve mission requirements.
AB - We describe preliminary work on a novel detection approach, which we call diagnosis-enabled intrusion detection (DEID), which takes a stream of evidence from multiple sources, aggregates the evidence and uses it to arrive at the best explanation for the observed activity. This approach requires the solution of four key scientific challenges: (i) a theory and algorithms for monitor placement that covers all system layers to prevent attackers from evading detection even when launching zero-day attacks; (ii) evidence collection for producing useful aggregated evidence from system actions in real-time without adversely affecting the mission; (iii) a theory of diagnosis detection for filtering and correlating evidence to test hypotheses regarding mission impact, producing both diagnoses and explanations of their causes; and (iv) diagnosis presentation for conveying explanations to domain experts to produce new knowledge to act on previously-unknown attacks effectively and to respond effectively to identified attacks that preserve mission requirements.
UR - http://www.scopus.com/inward/record.url?scp=84959304569&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84959304569&partnerID=8YFLogxK
U2 - 10.1109/MILCOM.2015.7357564
DO - 10.1109/MILCOM.2015.7357564
M3 - Conference contribution
AN - SCOPUS:84959304569
T3 - Proceedings - IEEE Military Communications Conference MILCOM
SP - 929
EP - 934
BT - 2015 IEEE Military Communications Conference, MILCOM 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 34th Annual IEEE Military Communications Conference, MILCOM 2015
Y2 - 26 October 2015 through 28 October 2015
ER -