IRIS - Intelligent Reasoning Incident System

IRIS is the component of the SentryPort Sentinel™ system which monitors the events as they are received by the system to determine if any situations underway which require action.

The Technology in IRIS

IRIS is built as a hybrid Case Based Reasoning (CBR) system.

Case-Based Reasoning (CBR) is a problem solving technique which uses a repository of prior cases and their resolutions to make intelligent decisions or recommendations for the current case at hand. The typical use for this technology is in a Helpdesk application. By entering symptoms of the user's problem a CBR system can identify similar cases and rank them by similarity to the current situation then display a list of potential solutions to a helpdesk operator.

In IRIS, we use a modified form of CBR. Instead of operating directly on prior cases, IRIS operates on models which define and describe the cases of interest in the case base. These models are either defined explicitly or built through the support of the STARS component combined with user input.

Learning in IRIS

New cases are added to the case-base in IRIS through an interaction with the STARS component. STARS processes the historical database of Incidents and detects situations of interest. These are then converted to a Case to be monitored by IRIS, as described in subsequent sections.

Benefits of this Approach

This approach offers a number of advantages over instance based CBR systems.

Since IRIS separates the steps of identifying new cases from the operating Case Base, it offers more control over the operation of the system for the Security Manager.
Incident handling is more accurate since the Protocol for each Case is explicitly defined.
Incidence handling is fast since there is no need to refer to the prior history of incidents to determine the correct Protocol at runtime.