Abstract
We describe the Scyllarus system, which performs Intrusion Detection System (IDS) fusion, using Bayes nets and qualitative probability. IDSes are systems that sense intrusions in computer networks and hosts. IDS fusion is the problem of fusing reports from multiple IDSes scattered around a computer network we wish to defend, into a coherent overall picture of network status. Scyllarus treats the problem of IDS fusion as an abduction problem, formalized using Bayes nets and Knowledge-based Model Construction (KBMC). Because of the coarseness of the data available, Scyllarus uses a qualitative framework, based on System-Z+. Qualitative Bayes nets allow Scyllarus to exploit the trengths of probabilistic reasoning, without excessive knowledge acquisition and without committing to a misleading level of accuracy in its conclusions.