Model-based Intrusion Assessment in Common Lisp

Keywords: computer security, intrusion detection, report fusion, IDS fusion, IDS correlation, lisp

Abstract: We describe the Scyllarus system, which performs Intrusion Detection System (IDS) fusion, using Bayes nets and qualitative probability.1 IDSes are systems that sense intrusions in computer networks and hosts. IDS fusion is the problem of fusing reports from multiple IDSes scattered around a computer network we wish to defend, into a coherent overall picture of network status. Scyllarus treats the problem of IDS fusion as an abduction problem, formalized using Bayes nets and Knowledge-based Model Construction (KBMC). Because of the coarseness of the data available, Scyllarus uses a qualitative framework, based on System- Z+. Qualitative Bayes nets allow Scyllarus to exploit the strengths of probabilistic reasoning, without excessive knowledge acquisition and without committing to a misleading level of accuracy in its conclusions. The Scyllarus system gave excellent results on a mediumsized corporate network, where it was in continuous use for approximately four years, and was validated in a DARPA-funded assessment. Under US Federal government funding, we are now working to adapt Scyllarus to analyze detection reports from sensors monitoring very high speed (10 - 100 Gb/second) networks in a project called "SMITE"