This article features the necessity and
requirement of multisensor data fusion for building next-generation cyberspace
intrusion detection (ID) systems, in order to effectively create cyberspace
situational awareness. Recent industry studies forecast the consumer market for
security assessment tools will grow from approximately $150 million per year in
1999 to over $600 million in 2002. This article provides a brief review of ID
concepts and terms, an overview of the art and science of multiples data-fusion
technology, and introduces the ID systems data-mining environment as a
complementary process to the ID system data-fusion model. The latter is a
rules-based pattern matching system where audits are matched against subject
profiles to detect computer misuse based on logins, program executions, and
file access. Waltz introduces some of the generic sensor characteristics such
as detection performance based on false alarm rate and spatial coverage, that
can be applied to next-generation cyberspace ID systems. Data fusion uses known
ID templates and pattern recognition. Data mining processes search for hidden
patterns based on previously undetected intrusions, to help develop new
detection templates, in addition, focuses on the current state of the network
based on past data based on operations of clustering, association and
statistical analysis