Evidential Reasoning in Real-time Monitoring of Computing Systems

Abstract

We propose and demonstrate the construction of a belief structure based on data captured by a monitoring and intrusion detection system on the state variables defining the computing behavior of critical assets in a computing environment. We also propose a security risk model, using Dempster and Shafer theory, capable of predicting the occurrence of undesired events that can compromise the security of the entire computing environment through the compromising of one of its critical assets. We adopt a more comprehensive definition of information security risks based on the notion of plausibility of undesired events which covers the potential for the realization of unwanted negative consequences of events, but also any other uncertain conditions that may involve both negative or positive effects due to the presence of ambiguity. This method facilitates incorporating the impact on security risk in the computing environment of planned incident responses that pertain to multiple and priory unknown threats. We can then, because of the real-time management of the asset's state variables, devise a security program without the exact knowing of all the threats that produce the undesired events. Our model can then predict undesired events and plan risk-driven responses without all the details of the threats currently menacing the computing environment.