Determining Placement of Intrusion Detectors for a Distributed Application Through Bayesian Network Modeling

To secure today's computer systems, it is critical to have different intrusion detection sensors embedded in them. The complexity of distributed computer systems makes it difficult to determine the appropriate configuration of these detectors, i.e., their choice and placement. In this paper, the authors describe a method to evaluate the effect of the detector configuration on the accuracy and precision of determining security goals in the system. For this, they develop a Bayesian network model for the distributed system, from an attack graph representation of multi-stage attacks in the system. They use Bayesian inference to solve the problem of determining the likelihood that an attack goal has been achieved, given a certain set of detector alerts.