Current practice for combating cyber attacks typically use Intrusion Detection Sensors (IDSs) to passively detect and block multi-stage attacks. This work leverages Level-2 fu sion that correlates IDS alerts belonging to the same attacker, and proposes a threat assess ment algorithm to predict potential future attacker actions. The algorithm, TANDI, reduces the problem complexity by separating the models of the attacker's capability and opportu nity, and fuse the two to determine the attacker's intent. Unlike traditional Bayesian-based approaches, which require assigning a large number of edge probabilities, the proposed Level-3 fusion procedure uses only 4 parameters. TANDI has been implemented and tested with randomly created attack sequences. The results demonstrate that TANDI predicts fu ture attack actions accurately as long as the attack is not part of a coordinated attack and contains no insider threats. In the presence of abnormal attack events, TANDI will alarm the network analyst for further analysis. The attempt to evaluate a threat assessment algo rithm via simulation is the first in the literature, and shall open up a new avenue in the area of high level fusion.

Library of Congress Subject Headings

Computer networks--Security measures; Cyberterrorism--Prevention; Computer crimes--Prevention

Publication Date


Document Type


Student Type


Degree Name

Computer Engineering (MS)

Department, Program, or Center

Computer Engineering (KGCOE)


Shanchieh Yang

Advisor/Committee Member

Moises Sudit

Advisor/Committee Member

Greg Semeraro


Physical copy available from RIT's Wallace Library at TK5105.59 .H64 2006


RIT – Main Campus