Automatic multi-step attack pattern discovering

Current techniques employed in security alert correlation area for multi-step attack recognition purpose are intricate to be performed due to the complexity of the methods and huge computing workload generated during alert analysis and processing. In this paper, we proposed a new method of alert correlation aiming at providing concentrated security event information and thus finding multi-step attack patterns accordingly. We use a kind of extension time window when aggregate the alerts into high level alerts. We then connect hyper alerts into candidate multistep attack patterns according to their IP address association. The final real multi-step attack patterns are discovered from these connected attack patterns with quantitative correlation calculation method. The method is easy to implement and practical to deploy which is proved by the result of our experiments. The experiment also shows our approach can effectively find real multi-step attack behavior patterns and can be used to identify true attack threats.

[1]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[2]  Peng Ning,et al.  Alert correlation through triggering events and common resources , 2004, 20th Annual Computer Security Applications Conference.

[3]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[4]  Klaus Julisch,et al.  Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[5]  Wenke Lee,et al.  Discovering Novel Attack Strategies from INFOSEC Alerts , 2004, ESORICS.

[6]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[7]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[8]  Metin Feridun,et al.  Simplifying Correlation Rule Creation for Effective Systems Monitoring , 2004, DSOM.

[9]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[10]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[11]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[12]  Li Dong,et al.  Attack scenario construction with a new sequential mining technique , 2007 .

[13]  Frédéric Cuppens,et al.  Correlation in an intrusion detection process , 2002 .

[14]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.