Discovering Novel Multistage Attack Strategies

Authors:
Zhitang Li;Aifang Zhang;Dong Li;Li Wang
Affiliations:
Computer Science and Technology Department, Huazhong University of Science and Technology, Wuhan, Hubei, 430074, China;Computer Science and Technology Department, Huazhong University of Science and Technology, Wuhan, Hubei, 430074, China;Computer Science and Technology Department, Huazhong University of Science and Technology, Wuhan, Hubei, 430074, China;Computer Science and Technology Department, Huazhong University of Science and Technology, Wuhan, Hubei, 430074, China
Venue:
ADMA '07 Proceedings of the 3rd international conference on Advanced Data Mining and Applications
Year:
2007

Citing 9
Cited 0

A large scale distributed intrusion detection framework based on attack strategy analysis

Computer Networks: The International Journal of Computer and Telecommunications Networking
Constructing attack scenarios through correlation of intrusion alerts

Proceedings of the 9th ACM conference on Computer and communications security
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Automated Generation and Analysis of Attack Graphs

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Alert Correlation in a Cooperative Intrusion Detection Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Incremental mining of sequential patterns in large databases

Data & Knowledge Engineering
Managing Alerts in a Multi-Intrusion Detection Environment

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Techniques and tools for analyzing intrusion alerts

ACM Transactions on Information and System Security (TISSEC)
A framework for the application of association rule mining in large intrusion detection infrastructures

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

In monitoring anomalous network activities, intrusion detection systems tend to generate a large amount of alerts, which greatly increase the workload of post-detection analysis and decision-making. A system to detect the ongoing attacks and predict the upcoming next step of a multistage attack in alert streams by using known attack patterns can effectively solve this problem. The complete, correct and up to date pattern rule of various network attack activities plays an important role in such a system. An approach based on sequential pattern mining technique to discover multistage attack activity patterns is efficient to reduce the labor to construct pattern rules. But in a dynamic network environment where novel attack strategies appear continuously, the novel approach that we propose to use incremental mining algorithm shows better capability to detect recently appeared attack. In order to improve the correctness of results and shorten the running time of the mining algorithms, the directed graph is presented to restrict the scope of data queried in mining phase, which is especially useful in incremental mining. Finally, we remove the unexpected results from mining by computing probabilistic score between successive steps in a multistage attack pattern. A series of experiments show the validity of the methods in this paper.