MIF: A multi-step attack scenario reconstruction and attack chains extraction method based on multi-information fusion

Abstract

Most attacks on the Internet are progressive attacks and exploit multiple nodes. Traditional Intrusion Detection Systems (IDS) cannot detect the original attack node, making it difficult to block the attack at its source. This paper focuses on using IDS’ alerts corresponding to abnormal traffic to correlate attacks detected by the IDS, reconstruct multi-step attack scenarios and discover attack chains. Due to many false positives in the information provided by IDS, accurate reconstruction of the attack scenario and extraction of the most critical attack chain is challenging. Therefore, we propose a method to reconstruct multi-step attack scenarios in the network based on multiple information fusion of attack time, risk assessment and attack node information. First, we propose a Convolution and Agent Decision Tree Network (CTnet), a convolutional neural network that evaluates the attacks detected by the IDS and gives an alert with an attack risk assessment. Then, we reconstruct the weighted attack scenario by applying Graph-based Fusion Module (GM) on the captured attacks’ risk assessment and time information. Finally, we extract the high-risk attack chain by Depth First Search with Time and Weight (TW-DFS) algorithm. The experimental results show that the proposed method can accurately reconstruct multi-step attack scenarios and trace them back to the original host. It can help administrators to deploy security measures more effectively to ensure the overall security of the network.