MAAC: Novel Alert Correlation Method To Detect Multi-step Attack

Wang, Xiaoyu; Yu, Lei; He, Houhua; Gong, Xiaojing

doi:10.1109/trustcom53373.2021.00106

Cited by 15 publications

(7 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another way of correlation is the analysis of semantically similar events. MAAC (Wang et al, 2021a) (Multi-step Attack detection by Alert Correlation) uses Doc2vec to get the semantic representation of the alert description and calculates the cosine distance of the generated vector. MAAC matches the alerts and creates a graph first for alerts generated on the same host and then between hosts.…”

Section: Hybrid Modelsmentioning

confidence: 99%

“…Causal-based correlation methods make it easy to interpret the results of correlation by the operator. Therefore, this category of methods is well suited for visualizing the sequence of events (Heigl et al, 2021;Wang et al, 2021a). The simplicity of implementing such models is reduced, and also requires more computing resources to process a large amount of data.…”

Section: Summary Of Ai-based Security Event Correlation Modelsmentioning

confidence: 99%

See 1 more Smart Citation

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Gaifulina

Kotenko

2023

Artif Intell Rev

View full text Add to dashboard Cite

Information systems need to process a large amount of event monitoring data. The process of finding the relationships between events is called correlation, which creates a context between independent events and previously collected information in real time and normalizes it for subsequent processing. In cybersecurity, events can determine the steps of attackers and can be analyzed as part of a specific attack strategy. In this survey, we present the systematization of security event correlation models in terms of their representation in AI-based monitoring systems as: rule-based, semantic, graphical and machine learning based-models. We define the main directions of current research in the field of AI-based security event correlation and the methods used for the correlation of both single events and their sequences in attack scenarios. We also describe the prospects for the development of hybrid correlation models. In conclusion, we identify the existing problems in the field and possible ways to overcome them.

show abstract

Section: Hybrid Modelsmentioning

confidence: 99%

Section: Summary Of Ai-based Security Event Correlation Modelsmentioning

confidence: 99%

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Gaifulina

Kotenko

2023

Artif Intell Rev

View full text Add to dashboard Cite

show abstract

“…Subsequently, endpoint security is not simply a need for information insurance and network safety yet additionally for administrative adherence and keeping up with entrust with clients and accomplices. In any case, it faces impediments, for example, asset overutilization, dependence on signaturebased identification strategies, and a web association prerequisite for specific capabilities [3]. Vitally, EPP battles to battle insider dangers, which is where EDR becomes an integral factor.…”

Section: Need Of Endpoint Securitymentioning

confidence: 99%

“…The future work incorporates the extension of safety strategies and the execution of a more exhaustive remediation instrument. This mirrors the persistent need to adjust and further develop endpoint security advances to keep up with powerful insurance against advancing dangers [3]. The changing danger scene requires a proactive data security approach, zeroing in on precautionary measures as opposed to responsive safeguards.…”

Section: Evolution Of Endpoint Securitymentioning

confidence: 99%

Comprehensive Analysis of Endpoint Security Strategies, Technologies and Challenges

2023

IRJMETS

View full text Add to dashboard Cite

The escalating frequency of data breaches, often attributed to endpoint vulnerabilities, has propelled enterprises to reevaluate their security strategies. Notably, mobile devices have emerged as a primary source of data leaks. Traditional approaches such as employee training have proven inadequate, exacerbated by the proliferation of third-party cloud services, which challenge data protection. In response, the endpoint security market has flourished, offering solutions for safeguarding these endpoints. Our study delves into methods and technologies for endpoint security, contrasting traditional Endpoint Protection Platforms (EPP) with emerging Endpoint Detection and Response (EDR) systems. An in-depth evaluation of their mechanisms and effectiveness is presented, emphasizing the attributes of effective protection software. Furthermore, our review seeks to aid organizations, both small and large, in comprehending the evolving landscape of insider threats in dynamic cyberspace. This understanding can empower companies to exercise enhanced control over endpoint security, mitigating the risk of future data breaches. Negligent users are also enlightened about the gravity of online privacy while connected to corporate networks. By attempting to predict the future of protection products, this paper contributes to the broader research on endpoint detection, protection, and related areas.

show abstract

“…The key lies in analyzing the cause-and-effect relationships between alert information before and after, thus establishing the correlation between alert information [3,4]. This approach aids in reconstructing the complete attack path and attack scenario of MSA.…”

Section: Section 1: Introductionmentioning

confidence: 99%

Anomaly based multi-stage attack detection method

Ma,

Hou,

Jin

et al. 2024

PLoS ONE

View full text Add to dashboard Cite

Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system’s normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

show abstract

MAAC: Novel Alert Correlation Method To Detect Multi-step Attack

Cited by 15 publications

References 16 publications

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Comprehensive Analysis of Endpoint Security Strategies, Technologies and Challenges

Anomaly based multi-stage attack detection method

Contact Info

Product

Resources

About