This paper investigates the fusion process of combining cyber sensors on a network to detect and classify cyber behaviors – good and bad. Some bad cyber activity can be confused as appropriate (good) activity and vice versa. To wrongly block good activity is an error. Also, to allow bad cyber activity to continue believing it to be good activity is also an error. We wish to minimize these errors. Some bad cyber activity can be classified according to its severity. Confusing an extremely severe cyber activity for a mildly bad cyber activity can be a costly mistake also. We assume there are several classification systems present on the network, that is, a sensor, processor and exploiter at a minimum for each system. Also, the sensors may be disparate. Assume each system has a ROC manifold that is known, or has a good approximation. The goal of this paper is to demonstrate that there a best combining rule.

Date Published: 4 May 2017
PDF: 9 pages
Proc. SPIE 10185, Cyber Sensing 2017, 101850H (4 May 2017); doi: 10.1117/12.2267798

Published in SPIE Proceedings Vol. 10185:
Cyber Sensing 2017
Igor V. Ternovskiy; Peter Chin, Editor(s)