Abstract
In order to find attack patterns from a large number of redundant alert logs, build multi-step attack scenarios, and eliminate the false alerts of the alert logs, this paper proposes a new multi-step attack scenario construction model, which is divided into two parts: offline mode and online mode. In the offline mode, the known real attack alert log is used to train the neural network for removing error alerts, and eventually to generate a Bayesian network attack graph by alert aggregation processing and causal association attack sequence. In the online mode, a large number of online alert logs are used to update the neural network and the Bayesian network attack graph generated by the previous offline mode, so that the iterative attack graph is more complete and accurate. In the end, we extract a variety of multi-step attack scenarios from the Bayesian network attack graph to achieve the purpose of eliminating false alerts in the redundant IDS alert logs. In order to verify the validity of the algorithm, we use the DARPA 2000 dataset to test, and the results show that the algorithm has higher accuracy.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Zhang, R., Liu, G., Liu, J., et al.: Analysis of message attacks in aviation data-link communication. IEEE Access 6, 455–463 (2018)
Cheng, J., Xu, R., Tang, X., Sheng, V.S., Cai, C.: An abnormal network flow feature sequence prediction approach for DDoS attacks detection in big data environment. CMC Comput. Mater. Continua 55(1), 095–119 (2018)
Cheang, C.F., Wang, Y., Cai, Z., Xu, G.: Multi-VMs intrusion detection for cloud security using dempster-shafer theory. CMC Comput. Mater. Continua 57(2), 297–306 (2018)
Wang, Y., Cheng, L., Ma, X.: A survey of threat behavior detection techniques using alert correlation. J. Natl. Univ. Def. Technol. 39(5) (2017)
Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.: Comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secur. Comput. 1(3), 146–169 (2004)
Lin, Z.W., Li, S., Ma, Y.: Real-time intrusion alert correlation system based on prerequisites and consequence. In: Proceedings of Wireless Communications Networking and Mobile Computing, pp. 1–5 (2010)
Liu, L., Zheng, K.F., Yang, Y.X.: An intrusion alert correlation approach based on finite automata. In: Proceedings of Communications and Intelligence Information Security, pp. 80–83 (2010)
Wang, C.H., Yang, J.M.: Adaptive feature-weighted alert correlation system applicable in cloud environment. In: Proceedings of Asia Joint Conference on Information Security, pp. 41–47 (2013)
Ghasemi Gol, M., Ghaemi-Bafghi, A.A.: New alert correlation framework based on entropy. In: Proceedings of International Conference on Computer and Knowledge Engineering, pp. 184–189 (2013)
Shittu, R., Healing, A., Ghanea-Hercock, R., et al.: Intrusion alert prioritisation and attack detection using post-correlation analysis. Comput. Secur. 50, 1–15 (2015)
Zhang, R., Huo, Y., Liu, J., et al.: Constructing APT attack scenarios based on intrusion kill chain and fuzzy clustering. Secur. Commun. Netw. 2017(2), 1–9 (2017)
Elshoush, H.T., Osman, I.M.: Alert correlation in collaborative intelligent intrusion detection systems-a survey. Appl. Soft Comput. 11(7), 4349–4365 (2011)
Mei, H., Gong, J., Zhang, M.: Research on discovering multi-step attack patterns based on clustering IDS alert sequences. J. Commun. 32(5), 63–69 (2011). (in Chinese)
Tian, Z., Zhang, Y., Zhang, W., et al.: An adaptive alert correlation method based on pattern mining and clustering analysis. J. Comput. Res. Dev. 46(8), 1304–1315 (2009). (in Chinese)
Xiao, S., Zhang, Y., Liu, X., et al.: Alert fusion based on cluster and correlation analysis. In: Proceedings of the International Conference on Convergence and Hybrid Information Technology, Daejeon, South Korea, pp. 163–168 (2008)
Yu, Y., Zhang, S., Lv, L.: Information security alert multi-level fusion model. Comput. Eng. Appl. 42(29), 154–156 (2006)
Ramaki, A.A., Amini, M., Atani, R.E.: RTECA: real time episode correlation algorithm for multi-step attack scenarios detection. Comput. Secur. 49, 206–219 (2015)
Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using bayesian attack graphs. IEEE Trans. Dependable Secur. Comput. 9(1), 61–74 (2012)
GhasemiGol, M., Ghaemi Bafghi, A.: E correlator: an entropy based alert correlation system. Secur. Commun. Netw. 8(5), 822–836 (2015)
Farhad, H., AmirHaeri, M., Khansari, M.: Alert correlation and prediction using data mining and HMM. ISC Int. J. Inf. Secur. 3(2), 77–101 (2011)
Fredj, O.B.: A realistic graph based alert correlation system. Secur. Commun. Netw. 8, 2477–2493 (2015)
Ahmadinejad, S.H., Jalili, S., Abadi, M.: A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs. Comput. Netw. 55(9), 2221–2240 (2011)
Soleimani, M., Ghorbani, A.: Multi-layer episode filtering for the multi-step attack detection. Comput. Commun. 35, 1368–1379 (2012)
Acknowledgements
This work was supported by The National Key Research and Development Program of China under Grant 2016YFB0800903, the NSF of China (U1636112, U1636212).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Liu, J., Liu, B., Zhang, R., Wang, C. (2019). Multi-step Attack Scenarios Mining Based on Neural Network and Bayesian Network Attack Graph. In: Sun, X., Pan, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2019. Lecture Notes in Computer Science(), vol 11633. Springer, Cham. https://doi.org/10.1007/978-3-030-24265-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-24265-7_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-24264-0
Online ISBN: 978-3-030-24265-7
eBook Packages: Computer ScienceComputer Science (R0)