Correlation of Intrusion Alarms with Subjective Logic

Today, a variety of intrusion detection systems based on a variety of techniques and data sources exists. The alarms generated by these sensors need to be managed efficiently to generate an appropriate amount of alerts. This could be accomplished by fusing alarms from multiple sensors to report an attack only once, correlate alarms to reduce the number of false alarms and aggregate alarms to present attack scenarios. This paper proposes a method for reasoning about intrusion attacks by associating beliefs with each type of alarm and analyzing combinations of alarms by using Subjective logic. The advantage of this approach is that different types of alarms easily can be combined together to enhance the accuracy and trustworthiness of the results and allowing evidence coming from less reliable sources to be discounted accordingly.