Alert Correlation with Abstract Incident Modeling in a Multi- Sensor Environment1

1 This work was supported by NSF Cyber Trust Program Grant No: SCI-0430354, NSA IASP Grant No: H98230-04-1-0205, Office of Naval Research Grant number N00014-01-1-0678, and the Department of Computer Science and Engineering, Center for Computer Security Research at Mississippi State University. Parts of this work have appeared in Proceedings: IEEE International Conference on Intelligence and Security Informatics, 2005. Summary In response to proliferated attacks on enterprise systems today, many practitioners employ multiple, diverse sensors for increased information assurance because a single sensor cannot detect all types of attacks. A multi-sensor environment is characterized by deployment of a homogeneous and/or heterogeneous suite of sensors to monitor different entities in the corresponding environment. These multiple sensors may employ different strategies based on the model they use, the data source they monitor and the techniques they employ. Essentially, the primary advantage of using multiple sensors is to improve the detection rate and the coverage within the system. In multisensor environments, the sensors can collaborate with or complement each other to provide increased assurance of information. Although it makes good engineering sense to employ multiple sensors in a secure environment, however, managing data from these sensors is critically important. In this paper, we address the alert correlation aspect of sensor alert fusion in a multi-sensor environment. Here we describe the use of a causal knowledge-based inference technique with Fuzzy Cognitive Modeling to discover causal relationships in sensor data.