Keith Skinner

Probabilistic Alert Correlation

With the growing deployment of host and network intrusion detection systems, managing reports from these systems becomes critically important. We present a probabilistic approach to alert correlation, extending ideas from multisensor data fusion. Features used for alert correlation are based on alert content that anticipates evolving IETF standards. The probabilistic approach provides a unified mathematical framework for correlating alerts that match closely but not perfectly, where the minimum degree of match required to fuse alerts is controlled by a single configurable parameter. Only features in common are considered in the fusion algorithm. For each feature we define an appropriate similarity function. The overall similarity is weighted by a specifiable expectation of similarity. In addition, a minimum similarity may be specified for some or all features. Features in this set must match at least as well as the minimum similarity specification in order to combine alerts, regardless of the goodness of match on the feature set as a whole. Our approach correlates attacks over time, correlates reports from heterogeneous sensors, and correlates multiple attack steps.

Adaptive, Model-Based Monitoring for Cyber Attack Detection

Inference methods for detecting attacks on information resources typically use signature analysis or statistical anomaly detection methods. The former have the advantage of attack specificity, but may not be able to generalize. The latter detect attacks probabilistically, allowing for generalization potential. However, they lack attack models and can potentially learn to consider an attack normal. Herein, we present a high-performance, adaptive, model-based technique for attack detection, using Bayes net technology to analyze bursts of traffic. Attack classes are embodied as model hypotheses, which are adaptively reinforced. This approach has the attractive features of both signature based and statistical techniques: model specificity, adaptability, and generalization potential. Our initial prototype sensor examines TCP headers and communicates in IDIP, delivering a complementary inference technique to an IDS sensor suite. The inference technique is itself suitable for sensor correlation.

A hybrid quarantine defense

We study the strengths, weaknesses, and potential synergies of two complementary worm quarantine defense strategies under various worm attack profiles. We observe their abilities to delay or suppress infection growth rates under two propagation techniques and three scan rates, and explore the potential synergies in combining these two complementary quarantine strategies. We compare the performance of the individual strategies against a hybrid combination strategy, and conclude that the hybrid strategy yields substantial performance improvements, beyond what either technique provides independently. This result offers potential new directions in hybrid quarantine defenses.

CECED: a system for informal multimedia collaboration

The Collaborative Environment for Concurrent Engineering Design (CECED) 1 is presented, which provides mechanisms that facilitate communicating effectively using multiple media and capturing the history of the informal phase of the specification and design process. The network-supported collaboration technology being developed in CECED is designed to support collaboration among multiple users of existing tools with minimal intrusion into existing software or user interaction styles. It integrates voice with other media exchanged in a multimedia conference by multiplexing the media in the same multicast connection for transport across a network or internet. It separates private workspaces from shared ones. It uses a distributed activity-sensing floor control algorithm to guarantee a single stream of input to unmodified single-user applications. It extends the shared screen paradigm prevalent in multimedia conferencing to shared and coordinated control of client applications and server resources. Finally, it supports the replication of applications and databases at each site, quick feedback to all conferees, and the ability to conference over low bandwidth communication networks.

Scoot: an object-oriented toolkit for multimedia collaboration

The Synchronous Collaborative Object-Oriented Toolkit (SCOOT) provides reliable real-time multimedia collaboration for geographically separated participants. SCOOT does this by synchronizing application states and ensuring reliable shared tool control. It is designed to provide this functionality while minimizing the modifications to application code, the impact on a developers design style and level of effort, and on an applications structure. SCOOT extends the end-users working style by providing a continuum of collaboration styles, ranging from informal to formal.