Attack scenario reconstruction approach using attack graph and alert data mining

Abstract Existing alert correlation methods do not consider the unsuccessful paths and true negative alerts of IDS, which affects the completeness and visualization of attack restoring. To overcome this, an attack graph based alert correlation approach is proposed. The attack graph is first created using the toolkit MulVAL based on the network connectivity and known vulnerabilities, which gives the full view of all the vulnerabilities and their interdependence. Then, the alerts were mapped to attack graph to exhibit the intrusion situation initially. Afterwards, the attack sequences are output from the set of mapped alerts to reflect the initial attack paths. Afterwards, similar attack sequences are clustered together to obtain the preliminary attack scenarios. Finally, by analyzing the cohesive relationship between the subscenarios, the unreported true negative alerts are detected to improve the reconstruction by merging the broken attack scenarios. Experiments on the tested network and Defcon CTF23 dataset indicate that the proposed approach can restore attack scenarios more completely and further be used for attack forensics and traceability as well as for providing visualization support for comprehensive vulnerability analysis and targeted intrusion prevention.

[1]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[2]  Christopher Krügel,et al.  Decentralized Event Correlation for Intrusion Detection , 2001, ICISC.

[3]  Michael E. Kuhl,et al.  Cyber threat assessment via attack scenario simulation using an integrated adversary and network modeling approach , 2018 .

[4]  Bin Wu,et al.  Exploring risk flow attack graph for security risk assessment , 2015, IET Inf. Secur..

[5]  Maghsoud Abbaspour,et al.  Extracting fuzzy attack patterns using an online fuzzy adaptive alert correlation framework , 2016, Secur. Commun. Networks.

[6]  Ouissem Ben Fredj A realistic graph-based alert correlation system , 2015, Secur. Commun. Networks.

[7]  Elias Bou-Harb,et al.  Survey of Attack Projection, Prediction, and Forecasting in Cyber Security , 2019, IEEE Communications Surveys & Tutorials.

[8]  EMMANOUIL VASILOMANOLAKIS,et al.  Taxonomy and Survey of Collaborative Intrusion Detection , 2015, ACM Comput. Surv..

[9]  Hao Hu,et al.  Quantitative Method for Network Security Situation Based on Attack Prediction , 2017, Secur. Commun. Networks.

[10]  Yuchen Zhang,et al.  Security Metric Methods for Network Multistep Attacks Using AMC and Big Data Correlation Analysis , 2018, Secur. Commun. Networks.

[11]  Hongliang Zhu,et al.  An Intrusion Action-Based IDS Alert Correlation Analysis and Prediction Framework , 2019, IEEE Access.

[12]  Zhao Yang Dong,et al.  A Framework for Cyber-Topology Attacks: Line-Switching and New Attack Scenarios , 2019, IEEE Transactions on Smart Grid.

[13]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[14]  Emden R. Gansner,et al.  Graphviz - Open Source Graph Drawing Tools , 2001, GD.

[15]  Mehdi Shajari,et al.  Attack scenario reconstruction using intrusion semantics , 2018, Expert Syst. Appl..

[16]  Ting Wang,et al.  Overview on attack graph generation and visualization technology , 2013, 2013 International Conference on Anti-Counterfeiting, Security and Identification (ASID).

[17]  Dong Li,et al.  Discovering Novel Multistage Attack Patterns in Alert Streams , 2007, 2007 International Conference on Networking, Architecture, and Storage (NAS 2007).

[18]  Víctor A. Villagrá,et al.  Real-Time Multistep Attack Prediction Based on Hidden Markov Models , 2020, IEEE Transactions on Dependable and Secure Computing.

[19]  Kerem Kaynar,et al.  A taxonomy for attack graph generation and usage in network security , 2016, J. Inf. Secur. Appl..

[20]  Harjinder Singh Lallie,et al.  A review of attack graph and attack tree visual syntax in cyber security , 2020, Comput. Sci. Rev..

[21]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[22]  F. Makedon,et al.  A bipartite graph matching framework for finding correspondences between structural elements in two proteins , 2004, The 26th Annual International Conference of the IEEE Engineering in Medicine and Biology Society.