Scoring Alerts from Threat Detection Technologies

Robert C. Schrag, Masami Takikawa, Paul Goger, James Eilbert

We describe methods to score alerts---hypotheses about suspected impending threat events that are issued, based on incrementally presented, time-stamped evidence, before the events occur. Our threat events (and thus alerts) have significant object-oriented structure. The alert scoring methods exploit related methods to score precision, recall, and F-value for structured threat hypotheses when such evidence is processed by threat detection technologies in a batch, forensic mode. We present a (deemed-impractical) idealized approach and derivative practical variants. The implemented approach is part of a performance evaluation laboratory (PE Lab) that we have applied during a multi-year, multi-contractor Government research program.

Subjects: 1. Applications; 2. Architectures

This page is copyrighted by AAAI. All rights reserved. Your use of this site constitutes acceptance of all of AAAI's terms and conditions and privacy policy.