Data warehousing and data mining techniques for intrusion detection systems
Distributed and Parallel Databases
Understanding multistage attacks by attack-track based visualization of heterogeneous event streams
Proceedings of the 3rd international workshop on Visualization for computer security
Minimum-cost network hardening using attack graphs
Computer Communications
Toward measuring network security using attack graphs
Proceedings of the 2007 ACM workshop on Quality of protection
International Journal of Information and Computer Security
Implementing interactive analysis of attack graphs using relational databases
Journal of Computer Security - 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec'06)
Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs
Journal of Network and Systems Management
Intrusion detection with evolutionary learning classifier systems
Natural Computing: an international journal
A Scalable Approach to Full Attack Graphs Generation
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts
Computer Communications
Measuring the overall security of network configurations using attack graphs
Proceedings of the 21st annual IFIP WG 11.3 working conference on Data and applications security
Application of the pagerank algorithm to alarm graphs
ICICS'07 Proceedings of the 9th international conference on Information and communications security
Computers and Electrical Engineering
Designing a data fusion system using a top-down approach
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
Evaluating threat assessment for multi-stage cyber attacks
MILCOM'06 Proceedings of the 2006 IEEE conference on Military communications
NPSEC'05 Proceedings of the First international conference on Secure network protocols
A simulation-driven approach for assessing risks of complex systems
EWDC '11 Proceedings of the 13th European Workshop on Dependable Computing
Alert correlation in collaborative intelligent intrusion detection systems-A survey
Applied Soft Computing
Scalable analysis of attack scenarios
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Prioritizing intrusion analysis using Dempster-Shafer theory
Proceedings of the 4th ACM workshop on Security and artificial intelligence
Interactive analysis of attack graphs using relational queries
DBSEC'06 Proceedings of the 20th IFIP WG 11.3 working conference on Data and Applications Security
An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
FuzMet: a fuzzy-logic based alert prioritization engine for intrusion detection systems
International Journal of Network Management
Context and semantics for detection of cyber attacks
International Journal of Information and Computer Security
Hi-index | 0.01 |
We map intrusion events to known exploits in the network attack graph, and correlate the events through the corresponding attack graph distances. From this, we construct attack scenarios, and provide scores for the degree of causal correlation between their constituent events, as well as an overall relevancy score for each scenario. While intrusion event correlation and attack scenario construction have been previously studied, this is the first treatment based on association with network attack graphs. We handle missed detections through the analysis of network vulnerability dependencies, unlike previous approaches that infer hypothetical attacks. In particular, we quantify lack of knowledge through attack graph distance. We show that low-pass signal filtering of event correlation sequences improves results in the face of erroneous detections. We also show how a correlation threshold can be applied for creating strongly correlated attack scenarios. Our model is highly efficient, with attack graphs and their exploit distances being computed offline. Online event processing requires only a database lookup and a small number of arithmetic operations, making the approach feasible for real-time applications.