The probabilistic technology of the EMERALD eBayes effort is a powerful complement to the signature-based approach of other EMERALD and third party components. With regard to intrusion detection, we have evolved beyond the anomaly detection approach of the earlier NIDES prototype to a system based on Bayes inference. Bayes systems encode a knowledge base not in terms of rules or signatures, but as conditional probability relationships. As such, they gain much of the sensitivity and specificity of signature systems while retaining much of the ability to generalize of anomaly detection systems. The inference required per observation is extremely efficient, and the system is quite lightweight.

The project is described in a Quad chart. The eBayes component is more fully presented in our RAID 2000 paper.

In the field of alert correlation we have a unique technology based on probabilistic methods. The system we have developed incorporates elements of Bayes inference and sensor fusion. For a more complete description, see our RAID 2001 paper.

We have applied these systems as well as other EMERALD sensors and also SNORT in a live-traffic analysis study. This was during a period of intense Code Red activity. Our probabilistic detection and correlation technology in concert with heterogeneous sensors showed some interesting results in sensor complementarity and reinforcement, as well as shedding light on the temporal nature of attacks. A draft of our results is available here.