Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis
ESORICS '92 Proceedings of the Second European Symposium on Research in Computer Security
Issues in data stream management
ACM SIGMOD Record
Learning attack strategies from intrusion alerts
Proceedings of the 10th ACM conference on Computer and communications security
Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Activity Recognition and Abnormality Detection with the Switching Hidden Semi-Markov Model
CVPR '05 Proceedings of the 2005 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR'05) - Volume 1 - Volume 01
Practical Attack Graph Generation for Network Defense
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Towards highly reliable enterprise network services via inference of multi-level dependencies
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Unsupervised pattern mining from symbolic temporal data
ACM SIGKDD Explorations Newsletter - Special issue on data mining for health informatics
Estimating a System's Mean Time-to-Compromise
IEEE Security and Privacy
What's going on?: learning communication rules in edge networks
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts
Computer Communications
Automating network application dependency discovery: experiences, limitations, and new solutions
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
A service dependency model for cost-sensitive intrusion response
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
A Constrained Probabilistic Petri Net Framework for Human Activity Detection in Video*
IEEE Transactions on Multimedia
Hi-index | 0.00 |
Attack graphs have been widely used for attack modeling, alert correlation, and prediction. In order to address the limitations of current approaches - scalability and impact analysis - we propose a novel framework to analyze massive amounts of alerts in real time, and measure the impact of current and future attacks. Our contribution is threefold. First, we introduce the notion of generalized dependency graph, which captures how network components depend on each other, and how the services offered by an enterprise depend on the underlying infrastructure. Second, we extend the classical definition of attack graph with the notion of timespan distribution, which encodes probabilistic knowledge of the attacker's behavior. Finally, we introduce attack scenario graphs, which combine dependency and attack graphs, bridging the gap between known vulnerabilities and the services that could be ultimately affected by the corresponding exploits. We propose efficient algorithms for both detection and prediction, and show that they scale well for large graphs and large volumes of alerts. We show that, in practice, our approach can provide security analysts with actionable intelligence about the current cyber situation, enabling them to make more informed decisions.