A Practical Approach to Modeling Uncertainty in Intrusion Analysis
Source: Kansas State University
Uncertainty is an innate feature of intrusion analysis due to the limited views provided by system monitoring tools, including Intrusion Detection Systems (IDS) and the numerous types of logs. Attackers are essentially invisible in cyberspace and those monitoring tools can only observe the symptoms produced by malicious activities, mingled with the same effects produced by non-malicious activities. Thus, the conclusions one can draw from these observations inevitably suffer from varying degrees of uncertainty, which is the major source of false positives/false negatives in intrusion analysis. This paper presents a practical approach to modeling such uncertainty so that the various security implications from those low-level observations are captured in a simple logical language augmented with certainty tags.