Title: A Bayesian theory of confirmation for intrusion report fusion in process control networks

Authors: Julian L. Rrushi

Addresses: Faculty of Computer Science, University of New Brunswick, Fredericton, NB, E3B 5A3, Canada

Abstract: We attack the following problem: how to fuse intrusion reports generated individually by intrusion detection algorithms devised especially for process control networks, in such a way as to have them alleviate any possible shortcomings of each other while contributing to a joint intrusion detection intelligence. We propose a mathematical development of the Heuer|s analysis of competing hypotheses methodology in the form of a Bayesian theory of confirmation. We organise in a matrix the intrusion hypotheses along with evidence, and thereafter use the expectation-maximisation algorithm to estimate probability density functions that indicate the likelihood of each piece of evidence, i.e., hypothesis-based probabilities of each piece of evidence. Relations between the said likelihoods and the degrees to which hypotheses are confirmed on evidence are modelled via the Bayes theorem, which is used in its ratio form to probabilistically compare competing hypotheses against each other. In this regard, we use the probability tree method to estimate prior probabilities of competing hypotheses that are used within the Bayes theorem. We also discuss an empirical testing of the effectiveness of the proposed theory of confirmation via a technique that we call detection failure injection.

Keywords: industrial network communications; cyber attack sensing; applied statistics; probability theory; cyber attacks; Bayesian theory of confirmation; intrusion reports; process control networks; intrusion detection.

DOI: 10.1504/IJCCBS.2011.041258

International Journal of Critical Computer-Based Systems, 2011 Vol.2 No.2, pp.162 - 180

Published online: 11 Mar 2015 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article