Nexat: a history-based approach to predict attacker actions

Computer networks are constantly being targeted by different attacks. Since not all attacks are created equal, it is of paramount importance for network administrators to be aware of the status of the network infrastructure, the relevance of each attack with respect to the goals of the organization under attack, and also the most likely next steps of the attackers. In particular, the last capability, attack prediction, is of the most importance and value to the network administrators, as it enables them to provision the required actions to stop the attack and/or minimize its damage to the network's assets. Unfortunately, the existing approaches to attack prediction either provide limited useful information or are too complex to scale to the real-world scenarios. In this paper, we present a novel approach to the prediction of the actions of the attackers. Our approach uses machine learning techniques to learn the historical behavior of attackers and then, at the run time, leverages this knowledge in order to produce an estimate of the likely future actions of the attackers. We implemented our approach in a prototype tool, called Nexat, and validated its accuracy leveraging a dataset from a hacking competition. The evaluations show that Nexat is able to predict the next steps of attackers with very high accuracy. In particular, Nexat achieves a 94% accuracy in predicting the next actions of the attackers in our prototype implementation. In addition, Nexat requires little computational resources and can be run in real-time for instant prediction of the attacks.

[1]  Christopher Krügel,et al.  Using Alert Verification to Identify Successful Intrusion Attempts , 2004, Prax. Inf.verarb. Kommun..

[2]  Mica R. Endsley,et al.  Design and Evaluation for Situation Awareness Enhancement , 1988 .

[3]  Edmund M. Clarke,et al.  Ranking Attack Graphs , 2006, RAID.

[4]  John J. Salerno,et al.  A situation awareness model applied to multiple domains , 2005, SPIE Defense + Commercial Sensing.

[5]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[6]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[7]  Jens Rasmussen,et al.  Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models , 1983, IEEE Transactions on Systems, Man, and Cybernetics.

[8]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[9]  John Yen,et al.  Cyber SA: Situational Awareness for Cyber Defense , 2010, Cyber Situational Awareness.

[10]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[11]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[12]  Robert P. Goldman,et al.  Plan recognition in intrusion detection systems , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[13]  John J. Salerno,et al.  Realizing situation awareness within a cyber environment , 2006, SPIE Defense + Commercial Sensing.

[14]  Christopher Krügel,et al.  Intrusion Detection and Correlation - Challenges and Solutions , 2004, Advances in Information Security.

[15]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[16]  Wei Jiang,et al.  A Stochastic Game Theoretic Approach to Attack Prediction and Optimal Active Defense Strategy Decision , 2008, 2008 IEEE International Conference on Networking, Sensing and Control.

[17]  G. Klein,et al.  Recognition-Primed Decision Strategies. , 1996 .

[18]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[19]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[20]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[21]  Narsingh Deo,et al.  The Derivation and Use of a Scalable Model for Network Attack Identification and Path Prediction , 2008, J. Networks.

[22]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[23]  Sushil Jajodia,et al.  Understanding complex network attack graphs through clustered adjacency matrices , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[24]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[25]  Wenke Lee,et al.  Attack plan recognition and prediction using causal networks , 2004, 20th Annual Computer Security Applications Conference.