Information modeling for intrusion report aggregation

The paper describes the SCYLLARUS approach to fusing reports from multiple intrusion detection systems (ID-Ses) to provide an overall approach to intrusion situation awareness. The overall view provided by SCYLLARUS centers around the site's security goals, aggregating large numbers of individual IDS reports based on their impact. The overall view reduces information overload by aggregating multiple IDS reports in a rep-down view; and by reducing false positives by weighing evidence provided by multiple ID-Ses and other information sources. Unlike previous efforts in this area, SCYLLARUS is centered around its intrusion reference model (IRM). The SCYLLARUS IRM contains both dynamic and static (configuration) information. A network entity/relationship database (NERD), providing information about the site's hardware and software; a security goal database, describing the site's objectives and security policy; and an event dictionary, describing important events, both intrusions and benign; comprise the static portion of the IRM. The set of IDS reports; the events SCYLLARUS hypothesizes to explain them; and the resulting judgment of the state of site security goals comprise the dynamic part of the IRM.