Advanced Security Incident Analysis with Sensor Correlation

This chapter explores the general problem of the poorly detected attacks with Intrusion Detection Systems. The poorly detected attacks reveal the fact that they are characterized by features that do not discriminate them much. The poor performance of the detectors has been improved by discriminative training of anomaly detectors and incorporating additional rules into the misuse detector. This chapter proposes a new approach of machine learning method where corresponding learning problem is characterized by a number of features. This chapter discusses the improved performance of multiple Intrusion Detection Systems using Data-dependent Decision fusion. The Data-dependent Decision fusion approach gathers an in-depth understanding about the input traffic and also the behavior of the individual Intrusion Detection Systems by means of a neural network learner unit. This information is used to fine-tune the fusion unit since the fusion depends on the input feature vector. Thus fusion implements a function that is local to each region in the feature space. It is well-known that the effectiveness of sensor fusion improves when the individual IDSs are uncorrelated. The training methodology adopted in this work takes note of this fact. For illustrative purposes, the DARPA 1999 data set as has been used. The Data-dependent Decision fusion shows a significantly better performance with respect to the performance of individual Intrusion Detection Systems. DOI: 10.4018/978-1-4666-0104-8.ch017