In an increasingly connected and networked world, the need to secure computers, networks, and the information that they contain, maintain and transport is growing rapidly. Information security professionals attempt to meet this need by implementing protective systems to keep unauthorized personnel and organizations out, monitoring systems to detect unauthorized activity that gets by the protective systems, and reactive systems to help recover gracefully as well as to continuously improve all the systems in the Protect - Detect - React cycle. This dissertation focuses on the detection phase and discusses a novel approach to intrusion detection involving correlation of low level events from multiple sources into higher-level events and scenarios followed by analysis of the scenarios using profiling and data mining approaches. A prototype using events from a network sensor and events from a host sensor was implemented to test the feasibility of the proposed approach. |