Abstract
In recent years, many approaches for correlating alerts and discovering attack scenarios have been proposed. However, most of them have difficulties such as high dependency to predefined correlation rule definitions and domain knowledge, huge volume of computing workload in some cases and limited capability in discovering new attack scenarios. Therefore, in this paper, we proposed a new alert correlation method to automatically extract multi-step attack scenarios. This method works based on a multi-phase process which acts on the IDS generated alerts. In normalization phase, alerts are turned to the form that can be easily processed by the proposed system. In alert Winnowing phase, for each alert is determined that it belongs to which alert sequence or attack scenario. After determining alerts scenarios, for each scenario its sub scenarios and Meta alerts are extracted. Finally, from the produced Meta alerts, the multi-step attack graph is constructed for each attack scenario. We evaluate our approach using DARPA 2000 data sets. Our experiments show our approach can effectively construct multi-step attack scenarios and give high level view of intruder intentions.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
