Extracting and Evaluating Similar and Unique Cyber Attack Strategies from Intrusion Alerts

Moskal, Stephen; Yang, Shanchieh Jay; Kühl, Michael

doi:10.1109/isi.2018.8587402

Cited by 12 publications

(17 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Process mining uses alert signatures as identifiers, so it cannot be used for modeling contextually different attack stages having the same alert signature. ii) Markov-based methods such as, Markov chains have been used to build alert correlation systems [6,15], and Hidden Markov Models have been used to build alert forecasting systems [8]. Specifically, Moskal et al [15] use Markov chains to construct sequences of attacker strategies from IDS alerts.…”

Section: Related Workmentioning

confidence: 99%

“…ii) Markov-based methods such as, Markov chains have been used to build alert correlation systems [6,15], and Hidden Markov Models have been used to build alert forecasting systems [8]. Specifically, Moskal et al [15] use Markov chains to construct sequences of attacker strategies from IDS alerts. In this paper, we build upon [15] and leverage the temporal and probabilistic dependence between alerts to generate alert-driven attack graphs.…”

Section: Related Workmentioning

confidence: 99%

“…Specifically, Moskal et al [15] use Markov chains to construct sequences of attacker strategies from IDS alerts. In this paper, we build upon [15] and leverage the temporal and probabilistic dependence between alerts to generate alert-driven attack graphs. The probabilistic deterministic finite automaton (S-PDFA) that we use has more expressive power than Markov chains and is easier to interpret.…”

Section: Related Workmentioning

confidence: 99%

“…In literature, such an aggregation is called a hyper-alert or an attack episode. We use the method in [15] to aggregate alerts into attack episodes, and assume that the episodes closely characterize attacker actions. For an attack stage 𝑚𝑐𝑎𝑡, an episode is defined as ⟨𝑠𝑡, 𝑒𝑡, 𝑚𝑐𝑎𝑡, 𝑚𝑆𝑒𝑟𝑣⟩, where 𝑠𝑡 and 𝑒𝑡 are start/end times, and 𝑚𝑆𝑒𝑟𝑣 is the most frequently targeted service during the episode.…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

SAGE: Intrusion Alert-driven Attack Graph Extractor

Nadeem¹,

Verwer²,

Yang³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

Attack graphs (AG) are used to assess pathways availed by cyber adversaries to penetrate a network. State-of-the-art approaches for AG generation focus mostly on deriving dependencies between system vulnerabilities based on network scans and expert knowledge. In real-world operations however, it is costly and ineffective to rely on constant vulnerability scanning and expert-crafted AGs. We propose to automatically learn AGs based on actions observed through intrusion alerts, without prior expert knowledge. Specifically, we develop an unsupervised sequence learning system, SAGE, that leverages the temporal and probabilistic dependence between alerts in a suffix-based probabilistic deterministic finite automaton (S-PDFA) -a model that accentuates infrequent severe alerts and summarizes paths leading to them. AGs are then derived from the S-PDFA. Tested with intrusion alerts collected through Collegiate Penetration Testing Competition, SAGE produces AGs that reflect the strategies used by participating teams. The resulting AGs are succinct, interpretable, and enable analysts to derive actionable insights, e.g., attackers tend to follow shorter paths after they have discovered a longer one. CCS CONCEPTS• Security and privacy → Intrusion detection systems; Usability in security and privacy; • Human-centered computing → Visual analytics; • Computing methodologies → Unsupervised learning.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

SAGE: Intrusion Alert-driven Attack Graph Extractor

Nadeem¹,

Verwer²,

Yang³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…They are especially interested in multi-stage cyber attacks. Their research in this area includes the characterization of multi-stage cyber attacks [23,25] and the creation of a system for multi-stage attack emulation that fuses concepts from computer networks, system vulnerabilities, attack behaviors, and scenarios [70]. More recent works include generating attack models without a priori knowledge [78] and investigating the use of Generative Adversarial Networks to learn and generate synthetic alert scenarios [90].…”

Section: Research Groupsmentioning

confidence: 99%

SoK

Husák

Jirsík

Yang

2020

Proceedings of the 15th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

Cyber situational awareness is an essential part of cyber defense that allows the cybersecurity operators to cope with the complexity of today's networks and threat landscape. Perceiving and comprehending the situation allow the operator to project upcoming events and make strategic decisions. In this paper, we recapitulate the fundamentals of cyber situational awareness and highlight its unique characteristics in comparison to generic situational awareness known from other fields. Subsequently, we provide an overview of existing research and trends in publishing on the topic, introduce front research groups, and highlight the impact of cyber situational awareness research. Further, we propose an updated taxonomy and enumeration of the components used for achieving cyber situational awareness. The updated taxonomy conforms to the widely-accepted three-level definition of cyber situational awareness and newly includes the projection level. Finally, we identify and discuss contemporary research and operational challenges, such as the need to cope with rising volume, velocity, and variety of cybersecurity data and the need to provide cybersecurity operators with the right data at the right time and increase their value through visualization. CCS CONCEPTS • Security and privacy → Formal security models; • Networks → Network security.

show abstract