ARF : an Automated Real-Time Fuzzy Logic Threat Evaluation System.

Abstract

Intrusion Detection has emerged as a powerful component of network security systems. A wide range of hardware and software components exist to meet most basic security needs on all platforms. These systems log system usage that could be considered as a breach of security in many networks. However, signature based intrusion detection systems have one catastrophic downfall, in that the number of alerts being logged can quickly outgrow the amount of resources necessary to investigate this anomalous behavior. This thesis explores the use of a fuzzy logic based analysis engine that gives an overall threat level of an intrusion detection sensor, prioritizing alerts that are the most threatening. This application gives security personnel a launching point to determine where security holes exist and a snapshot of the threats that exist in a system. The fuzzy logic system is based on a set of membership functions that define certain metrics from an alert dataset and a set of rules that determine a threat level based on the defined metrics. This application functions as a proof of concept prototype for an administrative tool that can analyze multiple sensors across multiple networks and give a reasonable output of the threat level across a series of intrusion detection sensors on a network. Initial testing indicates promising performance results for testing the threat level of a remote sensor using this methodology.