LATTICED: An Algebra for Intrusion Correlation

LATTICED：入侵相关性的代数

• 批准号: 0209046
• 负责人: Herbert Schorr
• 金额: $ 25万
• 依托单位: University of Southern California
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2002
• 资助国家: 美国
• 起止时间: 2002-07-15 至 2004-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0209046&HistoricalAwards=false
• 关键词: LATTICED; Algebra; Intrusion; Correlation

Intrusion detection (ID) is an imperfect science. With state-of-the-art techniques, simple attacks with unambiguous signatures can be detected fairly easily, but trying to diagnose more complex attacks often results in a flurry of false positives and undetected attacks.This situation would be improved if ID systems could work together, so that the weaknesses of one would be covered by the strengths of another. However, most of the recent work in combining ID results has focused on the protocol and architecture of the systems. Even a process as simple as corroboration--attempting to agree on a single attack diagnosis--is not assured with only protocol and architecture. Without an underlying body of theory, efforts to combine the results of multiple ID systemswill still fail.The LATTICE plan is to define a consistent and comprehensive way to combine the results of multiple ID systems. The research will employ a graph theory approach to representing the conclusions of individual ID systems. Operators can be defined to combine the graph representations of ID diagnoses in rigorous ways that can be comprehended and analyzed. The results generated by these methods can be understood as the conclusions of the multiple systems, taken as a whole. The outcome of this approach is a rigorous unifying of the abilities and strengths of all the involved ID systems.

入侵检测是一门不完善的科学。 使用最先进的技术，具有明确签名的简单攻击可以相当容易地被检测到，但是试图诊断更复杂的攻击通常会导致一系列误报和未检测到的攻击。如果ID系统能够协同工作，这种情况将得到改善，这样一个系统的弱点将被另一个系统的优点所覆盖。 然而，大多数最近的工作，结合ID的结果集中在协议和体系结构的系统。 即使是像确证这样简单的过程--试图就单个攻击诊断达成一致--也不能仅仅依靠协议和体系结构来保证。 如果没有一个基本的理论体系，将多个ID系统的结果进行联合收割机组合的努力仍然会失败。LATTICE计划是定义一个一致的和全面的方法来联合收割机组合多个ID系统的结果。 该研究将采用图论方法来表示单个ID系统的结论。 可以定义操作符，以便以可以理解和分析的严格方式将ID诊断的图形表示联合收割机组合起来。 这些方法产生的结果可以理解为多个系统作为一个整体的结论。 这种方法的结果是所有参与的ID系统的能力和优势的严格统一。