Modeling of information system correlated events time dependencies

Abstract

Many works have been carried out in events correlation and intrusion detection. Although they use different methods or correlation approaches, they all highlight the importance of time in their modeling process. In this paper, we suggest a new time consideration for our previous works Bayesian behavior intrusion detection. Using a probabilistic approach, we introduce time consideration in the profile of user/system interactions. This enriched profile will integrate all time dependencies among correlated alerts. Some works provide attack graphs scenarios where time dependencies are explicitly defined. In our case, they are learnt during a training period.