Constructing Attack Scenario using Sequential Pattern Mining with Correlated Candidate Sequences *

With the rise of cyber attacks, the amount of audited security data such as alerts produced from Intrusion Detection Systems (IDSs) are increased dramatically. The analysis and management of these massive amounts of alerts have become a critical and challenging issue. Alert correlation is a very useful approach to reduce the volume of alerts and discover multi-stage attack scenarios. In this paper we propose a framework to recognize multi-stage attack scenarios with their associated severity level in real time. Sequential mining algorithm is used to discover attacks patterns and predict upcoming attacks. To improve the accuracy of generated patterns, we incorporated candidate verification that calculates alerts correlativity while generating candidate attacks sequences. Simultaneously, the framework identifies severity rank of discovered multi-stage attack scenarios.

[1]  Zhitang Li,et al.  A novel technique of recognizing multi-stage attack behaviour , 2006, 2006 International Workshop on Networking, Architecture, and Storages (IWNAS'06).

[2]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[3]  Li Wang,et al.  Automatic multi-step attack pattern discovering , 2008 .

[4]  Zhitang Li,et al.  Real-Time Alert Stream Clustering and Correlation for Discovering Attack Strategies , 2008, 2008 Fifth International Conference on Fuzzy Systems and Knowledge Discovery.

[5]  Monis Akhlaq,et al.  MARS: Multi-stage Attack Recognition System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[6]  Guangwei Hu,et al.  Intrusion Alerts Correlation Based Assessment of Network Security , 2010, 2010 International Conference of Information Science and Management Engineering.

[7]  Li Wang,et al.  Real-Time Correlation of Network Security Alerts , 2007 .

[8]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[9]  Ramakrishnan Srikant,et al.  Mining Sequential Patterns: Generalizations and Performance Improvements , 1996, EDBT.

[10]  Jie Lei,et al.  Real-Time Correlation of Network Security Alerts , 2007, IEEE International Conference on e-Business Engineering (ICEBE'07).

[11]  Zhaowen Lin,et al.  Real-Time Intrusion Alert Correlation System Based on Prerequisites and Consequence , 2010, 2010 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM).

[12]  Y. V. Ramana Reddy,et al.  TRINETR: an intrusion detection alert management systems , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[13]  Dong Li,et al.  Attack scenario construction with a new sequential mining technique , 2007, Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007).