Online Risk Assessment of Intrusion Scenarios Using D-S Evidence Theory

  • C. P. Mu
  • X. J. Li
  • H. K. Huang
  • S. F. Tian
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5283)


In the paper, an online risk assessment model based on D-S evidence theory is presented. The model can quantitate the risk caused by an intrusion scenario in real time and provide an objective evaluation of the target security state. The results of the online risk assessment show a clear and concise picture of both the intrusion progress and the target security state. The model makes full use of available information from both IDS alerts and protected targets. As a result, it can deal with uncertainties and subjectiveness very well in its evaluation process. In IDAM&IRS, the model serves as the foundation for intrusion response decision-making.


Online Risk Assessment Intrusion detection Alert Processing Intrusion Response D-S Evidence Theory 


  1. 1.
    Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusion. Technical Report TR-2002-01, Department of Computer Science, North Carolina State University (January 2002)Google Scholar
  2. 2.
    Boyer, S., Dain, O., Cunningham, R.: Stellar: A fusion system for scenario construction and security risk assessment. In: Third IEEE International Workshop on Information Assurance (IWIA 2005), Maryland, USA, pp. 105–116 (2005)Google Scholar
  3. 3.
    Gehani, A., Kedem, G.: RheoStat:Real-Time Risk Management. In: Recent Advances in Intrusion Detection:7th International symposium (Raid 2004), Sophia Antipolis, France, September 15-17, 2004, pp. 196–314 (2004)Google Scholar
  4. 4.
    Arnes, A., Sallhammar, K., Haslum, K., Brekne, T., Moe, M.E.G., Knapskog, S.J.: Real-Time Risk Assessment with Network Sensors and Intrusion Detection Systems. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS (LNAI), vol. 3801, Springer, Heidelberg (2005)Google Scholar
  5. 5.
    Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Ourston, D., Matzner, S., Stump, W., Hopkins, B.: Coordinated internet attacks: Responding to attack complexity. Journal of Computer Security 12(2), 165–190 (2004)CrossRefGoogle Scholar
  7. 7.
    Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secure Comput. 1(3), 146–169 (2004)CrossRefGoogle Scholar
  8. 8.
    Maines, J., Kewley, D., Tinnel, L., Taylor, S.: Validation of sensor alert correlators. IEEE Security Privacy Mag. 1(1), 46–56 (2003)CrossRefGoogle Scholar
  9. 9.
    Mu, C.P., Huang, H.K., Tian, S.F.: Managing Intrusion-Detection Alerts Based on Fuzzy Comprehensive Evaluation. In: 10th International Conference on Fuzzy Theory and Technology (FTT 2005), Salt Lake City, Utah, USA, July 21-26 (2005)Google Scholar
  10. 10.
    Mu, C.P., Huang, H.K., Tian, S.F.: False Positive Alert, Irrelevant Alert and Duplicate Alert Reduction Based on a Comprehensive Approach. Journal of Dynamics of Continuous, Discrete and Impulsive System Series B, Supplementary Issue (2006)Google Scholar
  11. 11.
    Mu, C.P., Huang, H.K., Tian, S.F.: Intrusion Detection Alert Verification based on Multi-level Fuzzy Comprehensive Evaluation. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS (LNAI), vol. 3801, pp. 9–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Bass, T., Robichaux, R.: Defence-in-depth: Qualitative risk analysis methodology for complex network centric operation (2004),
  13. 13.
    Caswell, B., Beale, J., Foster, J.C., Posluns, J.: Snort 2.0 Intrusion Detection. Syngress Publishing, Inc., Sebastopol (2003)Google Scholar
  14. 14.
    Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. Journal of Computer Security 10(1-2), 105–136 (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • C. P. Mu
    • 1
  • X. J. Li
    • 2
    • 3
  • H. K. Huang
    • 2
  • S. F. Tian
    • 2
  1. 1.School of Mechatronic EngineeringBeijing Institute of TechnologyBeijingP.R. China
  2. 2.School of Computer and Information TechnologyBeijing Jiaotong UniversityBeijingP.R. China
  3. 3.School of Information EngineeringNanChang UniversityNanChangP.R. China

Personalised recommendations