Abstract:
Intrusion detection system (IDS) is an integral part of computer networks to monitor and detect threats. However, the alerts raised by these systems are often overwhelmin...Show MoreMetadata
Abstract:
Intrusion detection system (IDS) is an integral part of computer networks to monitor and detect threats. However, the alerts raised by these systems are often overwhelming to security analysts, making it difficult to uncover the steps an attacker took to compromise one or more systems in the network. This work presents a novel approach that aggregates IDS alerts and forms sequences of attack activities and their corresponding probabilistic models. This allows comparison of attack sequences to offer insights for unique as well as similar attack behaviors. We aggregate alerts by performing a Gaussian filter on specific alert attributes and model attackers using a suffix-based probabilistic model. We compare sequences generated from ten independent attacking teams with similar objectives demonstrating how our process uncovers similarities and uniqueness between the attacks that was not obvious. The sequences revealed by our process creates meaningful sequences that offers insights on how the attacking teams exploit a network.
Date of Conference: 09-11 November 2018
Date Added to IEEE Xplore: 27 December 2018
ISBN Information: