Event Recognition Beyond Signature and Anomaly

Notions of signature and anomaly have formed the basis of useful methods in cyber defense, but even in combination provide only weak evidence for recognizing many events of interest. One can recognize many impor- tant events without requiring signatures of speciflc ways the events can take place and without treating every anoma- lous behavior as an event. We describe an approach to event recognition that subsumes and extends signature and anomaly methods by starting from a richer language for characterizing events. This paper explains how recogni- tion methods based on this richer event-characterization language ofier means for overcoming the limitations con- straining signature and anomaly methods.

[1]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[2]  Sourmitra Dutta,et al.  Temporal reasoning in medical expert systems , 1988, Proceedings of the Symposium on the Engineering of Computer-Based Medical.

[3]  I S Kohane,et al.  Hypothesis-driven data abstraction with trend templates. , 1993, Proceedings. Symposium on Computer Applications in Medical Care.

[4]  Ira J. Haimowitz,et al.  Automated Trend Detection with Alternate Temporal Hypotheses , 1993, IJCAI.

[5]  Ira J. Haimowitz,et al.  An Epistemology for Clinically Significant Trends , 1993, AAAI.

[6]  Ira J. Haimowitz,et al.  Knowledge-based Data Display Using TrenDx , 1994 .

[7]  Douglas B. Lenat,et al.  CYC: a large-scale investment in knowledge infrastructure , 1995, CACM.

[8]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[9]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[10]  J. Doyle SOME REPRESENTATIONAL LIMITATIONS OF THE COMMON INTRUSION SPECI?CATION LANGUAGE , 1999 .

[11]  Jon Doyle,et al.  Agile monitoring for cyber defense , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[12]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[13]  Detectors should be characterized by likelihood ratios , not posterior probabilities , .