D-S Evidence Theory and Its Data Fusion Application in Intrusion Detection

Traditional Intrusion Detection System (IDS) focus on low-level attacks or anomalies, and too many alerts are produced in practical application. Based on the D-S Evidence Theory and its data fusion technology, a novel detection data fusion model-IDSDFM is presented. By correlating and merging alerts of different types of IDSs, a set of alerts can be partitioned into different alert tracks such that the alerts in the same alert track may correspond to the same attack. On the base of it, the current security situation of network is estimated by applying the D-S Evidence Theory, and some IDSs in the network are dynamically adjusted to strengthen the detection of the data which relate to the attack attempts. Consequently, the false positive rate and the false negative rate are effectively reduced, and the detection efficiency of IDS is improved.

[1]  Lan Jinhui D-S evidence reasoning and its data fusion application in target recognition , 2001 .

[2]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[3]  Tim Bass,et al.  Intrusion detection systems and multisensor data fusion , 2000, CACM.

[4]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[5]  Ian Witten,et al.  Data Mining , 2000 .

[6]  D. Curry,et al.  Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition , 2004 .

[7]  L. F. Wilson,et al.  Analysis of distributed intrusion detection systems using Bayesian methods , 2002, Conference Proceedings of the IEEE International Performance, Computing, and Communications Conference (Cat. No.02CH37326).