A Dynamic Fusion Approach for Security Situation Assessment

The need for higher-level reasoning capabilities beyond low-level sensor abilities has prompted researchers to use different types of sensor fusion techniques for better situational awareness in the intrusion detection environment. These techniques primarily vary in terms of their mission objectives. Some prioritize alerts for alert reduction, some cluster alerts to identify common attack patterns, and some correlate alerts to identify multistaged attacks. Each of these tasks has its own merits. Unlike previous efforts in this area, we have combined the primary tasks of sensor alert fusion, i.e., alert prioritization, alert clustering and alert correlation into a single framework such that individual results are used to quantify a confidence score as an overall assessment for global diagnosis of a systems’ security situation. In this paper, we particularly address the problem of fusing results of alert clustering and alert correlation for the determination of systems’ overall security health. We use a possibilistic approach in intelligent fusion of sensor alerts in order to accommodate the impreciseness and vagueness in knowledge-based reasoning. Experiments show that fusing higher level analysis results provides further insight into overall security situation of protected resources in the network.