Skip to main content
Springer Nature Link
Log in

Discovering Novel Multistage Attack Strategies

  • Conference paper
Advanced Data Mining and Applications (ADMA 2007)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 4632))

Included in the following conference series:

  • 2293 Accesses

Abstract

In monitoring anomalous network activities, intrusion detection systems tend to generate a large amount of alerts, which greatly increase the workload of post-detection analysis and decision-making. A system to detect the ongoing attacks and predict the upcoming next step of a multistage attack in alert streams by using known attack patterns can effectively solve this problem. The complete, correct and up to date pattern rule of various network attack activities plays an important role in such a system. An approach based on sequential pattern mining technique to discover multistage attack activity patterns is efficient to reduce the labor to construct pattern rules. But in a dynamic network environment where novel attack strategies appear continuously, the novel approach that we propose to use incremental mining algorithm shows better capability to detect recently appeared attack. In order to improve the correctness of results and shorten the running time of the mining algorithms, the directed graph is presented to restrict the scope of data queried in mining phase, which is especially useful in incremental mining. Finally, we remove the unexpected results from mining by computing probabilistic score between successive steps in a multistage attack pattern. A series of experiments show the validity of the methods in this paper.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, November 18-22, 2002, pp. 18–22 (2002)

    Google Scholar 

  2. Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security 7, 274 (2004)

    Article  Google Scholar 

  3. Ning, P., Xu, D.: Alert correlation through triggering events and common resources, Tucson, AZ (2004)

    Google Scholar 

  4. Cuppens, F.: Managing alerts in multi-intrusion detection environment. In: Proceedings 17th annual computer security applications conference, New Orleans (2001)

    Google Scholar 

  5. Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE symposium on security and privacy, IEEE Computer Society Press, Los Alamitos (2002)

    Google Scholar 

  6. Cuppens, F., Autrel, F., Miège, A., Benferhat, S.: Correlation in an intrusion detection process. In: SECI 2002. Proceedings SÈcuritè des communications sur internet (2002)

    Google Scholar 

  7. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  8. Hang, M.Y, Wicks, T.M.: A large-scale distributed intrusion detection framework based on attack strategy analysis. Computer network, 2465–2475 (1999)

    Google Scholar 

  9. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA (May 2002)

    Google Scholar 

  10. Lee, W., Qin, X.: Statistical Causality Analysis of INFOSEC Alert Data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, Springer, Heidelberg (2003)

    Google Scholar 

  11. Qin, X., Lee, W.: Discovering novel attack strategies from INFOSEC alerts. In: Sophia Antipolis, France (2004)

    Google Scholar 

  12. Treinen, J.J., Thurimella, R.: A Framework for the Application of Association Rule Mining in Large Intrusion Detection Infrastructures. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 1–18. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  13. Mannila, H., Toivonen, H., Verkamo, A.I.: Discovering Frequent Episodes in Sequences. In: KDD 1995. Proceedings of the First International Conference on Knowledge Discovery and Data Mining, Montreal, Canada, pp. 210–215 (1995)

    Google Scholar 

  14. Srikant, R., Agrawal, R.: Mining Sequential Patterns: Generalizations and Performance Improvements. In: KDD 1995. Advances in Database Technology –5th International Conference on Knowledge Discovery and Data Mining, Montreal, Canada, pp. 269–274 (1995)

    Google Scholar 

  15. Agrawal, R., Srikant, R.: Mining sequential patterns. In: Research Report RJ 9910, IBM Almaden Research Center, San Jose, California (October 1994)

    Google Scholar 

  16. Masseglia, F., Poncelet, P., Teisseire, M.: Incremental mining of sequential patterns in large databases. Data Knowledge 46(1), 97–121 (2003)

    Article  Google Scholar 

  17. Lin, M.-Y., Lee, S.-Y.: Incremental Update on Sequential Patterns in Large Databases. In: ICTAI 1998. Proceedings of the 10th IEEE International Conference on Tools with Artificial Intelligence, Taipei, Taiwan, R.O.C, pp. 24–31 (1998)

    Google Scholar 

  18. Wang, L.: Li Z.-t., Fan J.: Learning attack strategies through attack sequence mining method, International Conference on Communication Technology (2006)

    Google Scholar 

  19. MIT Lincoln Lab: DARPA Intrusion Detection Scenario Specific Data Sets (2000), http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html

  20. MIT Lincoln Lab: Tcpdump File Replay Utility. http://ideval.ll.mit.edu/IST/ideval/tools/tools_index.html

Download references

Author information

Authors and Affiliations

  1. Computer Science and Technology Department, Huazhong University of Science and Technology, Wuhan, Hubei, 430074, China

    Zhitang Li, Aifang Zhang, Dong Li & Li Wang

Authors
  1. Zhitang Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aifang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dong Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Li Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science Department, University of Calgary , Calgary, AB, Canada

    Reda Alhajj

  2. School of Computer Science and Technology , Harbin Institute of Technology, Harbin, China

    Hong Gao

  3. School of Computer Science and Technology , Harbin Institute of Technology , Harbin, China

    Jianzhong Li

  4. School of Information Technology and Electronic Engineering , The University of Queensland , Queensland, Australia

    Xue Li

  5. Department of Computing Science , University of Alberta, Edmonton, AB, Canada

    Osmar R. Zaïane

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer Berlin Heidelberg

About this paper

Cite this paper

Li, Z., Zhang, A., Li, D., Wang, L. (2007). Discovering Novel Multistage Attack Strategies. In: Alhajj, R., Gao, H., Li, J., Li, X., Zaïane, O.R. (eds) Advanced Data Mining and Applications. ADMA 2007. Lecture Notes in Computer Science(), vol 4632. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73871-8_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-73871-8_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-73870-1

  • Online ISBN: 978-3-540-73871-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics