Comments: The file is, I believe, on hadar.
ContactPerson: smathew2@cse.buffalo.edu
Remote host: 69-162-203-203.bflony.adelphia.net
### Begin Citation ### Do not delete this line ###
%R 2004-18
%U /projects/smathew2/frame2.ps
%A Mathew, Sunu
%A Shah, Chintan
%A Upadhyaya, Shambhu
%T An Alert Fusion Framework for Situation Awareness of Coordinated Multistage Attacks
%D November 29, 2004
%I Department of Computer Science and Engineering, SUNY Buffalo
%K Alert Fusion, Computer Security, Intrusion Detection, Situation Awareness
%X Recent incidents in the cyber world strongly
suggest that coordinated multistage cyber attacks are quite probable
and that effective countermeasures need to be
developed. Attack detection by correlation and fusion of
intrusion alerts has been an active area of current research.
However, most of these research efforts focus on ex post facto
analysis of alert data to uncover related attacks. In this
paper, we present an approach for dynamically calculating
`Scenario Credibilities' based on the state of a live intrusion
alert stream. We also develop a framework for Attack Scenario
representation that facilitates real-time fusion of intrusion
alerts and calculation of the scenario credibility values.
Our approach provides a usable mechanism for detecting,
predicting and reasoning about multistage goal-oriented
attacks in real time. The details of the fusion framework
and a description of multistage attack detection using this framework
are presented in this paper.