Philippe Leray

Bayesian Network-Based Approaches for Severe Attack Prediction and Handling IDSs’ Reliability

Probabilistic graphical models are very powerful modeling and reasoning tools. In this paper, we propose efficient Bayesian network-based approaches for two major problems in alert correlation which plays an important role in nowadays computer security infrastructures. While the use of multiple intrusion detection systems (IDSs) and complementary approaches is highly recommended to improve the overall detection rates, this inevitably rises huge amounts of alerts most of which are redundant and false alarms. The aim of this work is twofold: Firstly, we propose an approach based on Bayesian multi-nets which allow to take advantage of local influence relationships in order to improve the prediction of severe attacks. Secondly, we propose to handle the reliability of IDSs by considering the uncertainty relative to the triggered alerts. Experimental studies carried out on real and recent IDMEF alerts produced by the de facto network-based IDS Snort shows significant improvements with respect to standard Bayesian approaches. More particularly, the handling of IDSs’ reliability significantly reduces the false alarm rate which represents a crucial issue for intrusion detection development.