Prioritizing Intrusion Analysis Using Dempster-Shafer Theory

Intrusion analysis and incident management, i.e. the process of combing through IDS alerts and audit logs to identify and remediate true successful and attempted attacks, remains a difficult problem in practical network security defense. The major root cause of this problem is the large rate of false positives in the sensors used by IDS systems to detect malicious activities. IDS systems are currently unable to differentiate nearly certain attacks from those that are merely possible, reducing the value of the alerts to an administrator. Standard Bayesian theory has not been effective in this regard because of the lack of good prior knowledge.