Abstract
Correlating security alerts and discovering attack strategies are important and challenging tasks for security analysts. Recently, there have been several proposed techniques to analyze attack scenarios from security alerts. However, most of these approaches depend on a priori and hard-coded domain knowledge that lead to their limited capabilities of detecting new attack strategies. In this paper, we propose an approach to discover novel attack strategies. Our approach includes two complementary correlation mechanisms based on two hypotheses of attack step relationship. The first hypothesis is that attack steps are directly related because an earlier attack enables or positively affects the later one. For this type of attack relationship, we develop a Bayesian-based correlation engine to correlate attack steps based on security states of systems and networks. The second hypothesis is that for some related attack steps, even though they do not have obvious and direct relationship in terms of security and performance measures, they still have temporal and statistical patterns. For this category of relationship, we apply time series and statistical analysis to correlate attack steps. The security analysts are presented with aggregated information on attack strategies from these two correlation engines. We evaluate our approach using DARPA’s Grand Challenge Problem (GCP) data sets. The results show that our approach can discover novel attack strategies and provide a quantitative analysis of attack scenarios.
Chapter PDF
Similar content being viewed by others
References
Bauer, E., Koller, D., Singer, Y.: Update rules for parameter estimation in Bayesian networks. In: Proceedings of the Thirteenth Conference on Uncertainty in Artificial Intelligence (UAI), Providence, RI, August 1997, pp. 3–13 (1997)
Cabrera, J.B.D., Lewis, L., Qin, X., Lee, W., Mehra, R.K.: Proactive intrusion detection and distributed denial of service attacks - a case study in security management. Journal of Network and Systems Management 10(2) (June 2002)
Cabrera, J.B.D., Lewis, L., Qin, X., Lee, W., Prasanth, R.K., Ravichandran, B., Mehra, R.K.: Proactive detection of distributed denial of service attacks using mib traffic variables - a feasibility study. In: Proceedings of IFIP/IEEE International Symposium on Integrated Network Management, IM 2001 (May 2001)
Caines, P.E., Chan, C.W.: Feedback between stationary stastic process. IEEE Transactions on Automatic Control 20, 495–508 (1975)
Cheung, S., Lindqvist, U., Fong, M.W.: Modeling multistep cyber attacks for scenario recognition. In: Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C. (April 2003)
Cohen, I., Bronstein, A., Cozman, F.G.: Online learning of bayesian network parameters. Hewlett Packard Laboratories Technical Report, HPL-2001-55(R.1) (June 2001)
Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, pp. 202–215 (May 2002)
DAPRA Cyber Panel Program. DARPA cyber panel program grand challenge problem, GCP (2003), http://www.grandchallengeproblem.net/
Debar, H., Wespi, A.: The intrusion-detection console correlation mechanism. In: 4th International Symposium on Recent Advances in Intrusion Detection (RAID) (October 2001)
Geib, C.W., Goldman, R.P.: Plan recognition in intrusion detection system. In: DARPA Information Survivability Conference and Exposition (DISCEX II) (June 2001)
Gevers, M.R., Anderson, B.D.O.: Representations of jointly stationary stochastic feedback processes. International Journal of Control 33, 777–809 (1981)
Goldman, R.P., Heimerdinger, W., Harp, S.A.: Information modleing for intrusion report aggregation. In: DARPA Information Survivability Conference and Exposition (DISCEX II) (June 2001)
Granger, C.W.J.: Investigating causal relations by econometric methods and cross-spectral methods. Econometrica 34, 424–428 (1969)
IETF Intrusion Detection Working Group. Intrusion detection message exchange format (2002), http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-09.txt
Haines, J., Ryder, D.K., Tinnel, L., Taylor, S.: Validation of sensor alert correlators. IEEE Security & Privacy Magazine (January/February 2003)
Hesse, W., Moller, E., Arnold, M., Witte, H., Schack, B.: Investigation of time-variant causal interactions between two eeg signals by means of the adaptive granger causality. Brain Topography 15, 265–266 (2003)
Kaminski, M., Ding, M., Truccolo, W.A., Bressler, S.L.: Evaluating causal relations in neural systems: Granger causality, direct transfer function (dtf) and statistical assessment of significance. Biological Cybernetics 85, 145–157 (2001)
Kaufamnn, R.K., Stern, D.I.: Evidence for human influence on climate from hemispheric temperature relations. Nature 388, 39–44 (1997)
Lee, H., Lin, K.S., Wu, J.: Pitfalls in using granger causality tests to find an engine of growth. Applied Economics Letters 9, 411–414 (2002)
Ljung, G.M., Box, G.E.P.: On a measure of lack of fit in time series models. Biometrika 65, 297–303 (1978)
Morin, B., Debar, H.: Correlation of intrusion symptoms: an application of chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)
Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: 9th ACM Conference on Computer and Communications Security (November 2002)
Ning, P., Xu, D.: Learnign attack strategies from intrusion alerts. In: Proceedings of 10th ACM Conference on Computer and Communications Security, CCS 2003 (October 2003)
Ning, P., Xu, D., Healey, C.G., Amant, R.A.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS 2004), San Diego, CA (February 2004)
Pearl, J.: Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann Publishers, Inc., San Francisco (1988)
Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based approach to INFOSEC alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 95. Springer, Heidelberg (2002)
Qin, X., Lee, W.: Statistical causality analysis of infosec alert data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003)
Ross, S.M.: Introduction to Probability Models, 7th edn. Harcourt Academic Press, London (2000)
Stallings, W.: SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-Wesley, Reading (1999)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Qin, X., Lee, W. (2004). Discovering Novel Attack Strategies from INFOSEC Alerts. In: Samarati, P., Ryan, P., Gollmann, D., Molva, R. (eds) Computer Security – ESORICS 2004. ESORICS 2004. Lecture Notes in Computer Science, vol 3193. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30108-0_27
Download citation
DOI: https://doi.org/10.1007/978-3-540-30108-0_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22987-2
Online ISBN: 978-3-540-30108-0
eBook Packages: Springer Book Archive