OMMA: open architecture for Operator-guided Monitoring of Multi-step Attacks

Navarro, Julio; Legrand, Véronique; Deruyver, Aline; Parrend, Pierre

doi:10.1186/s13635-018-0075-x

Cited by 11 publications

(6 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other studies used statistical analysis–based detection models, which have problems in areas such as time and accuracy; for examples of these studies, see Refs. [ 65 , 68 , 69 , 73 , 85 , 87 , 99 , 111 , 116 , 127 ].…”

Section: Discussionmentioning

confidence: 99%

A systematic literature review for APT detection and Effective Cyber Situational Awareness (ECSA) conceptual model

Salim

Singh

Keikhosrokiani

2023

Heliyon

View full text Add to dashboard Cite

Section: Discussionmentioning

confidence: 99%

A systematic literature review for APT detection and Effective Cyber Situational Awareness (ECSA) conceptual model

Salim

Singh

Keikhosrokiani

2023

Heliyon

View full text Add to dashboard Cite

“…Learning From Observables. Cyber data from prior security incidents can be utilized to gain insights into attacker behavior, e.g., using log data [35], [36], [37], sensor data [38], and network traffic [39]. Process mining and Markov models are particularly well-suited for sequential learning problems.…”

Section: Related Workmentioning

confidence: 99%

Alert-driven Attack Graph Generation using S-PDFA

Nadeem¹,

Verwer²,

Moskal³

et al. 2021

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Ideal cyber threat intelligence (CTI) includes insights into attacker strategies that are specific to a network under observation. Such CTI currently requires extensive expert input for obtaining, assessing, and correlating system vulnerabilities into a graphical representation, often referred to as an attack graph (AG). Instead of deriving AGs based on system vulnerabilities, this work advocates the direct use of intrusion alerts. We propose SAGE, an explainable sequence learning pipeline that automatically constructs AGs from intrusion alerts without a priori expert knowledge. SAGE exploits the temporal and probabilistic dependence between alerts in a suffix-based probabilistic deterministic finite automaton (S-PDFA) -a model that brings infrequent severe alerts into the spotlight and summarizes paths leading to them. Attack graphs are extracted from the model on a per-victim, per-objective basis. SAGE is thoroughly evaluated on three open-source intrusion alert datasets collected through security testing competitions in order to analyze distributed multi-stage attacks. SAGE compresses over 330k alerts into 93 AGs that show how specific attacks transpired. The AGs are succinct, interpretable, and provide directly relevant insights into strategic differences and fingerprintable paths. They even show that attackers tend to follow shorter paths after they have discovered a longer one in 84.5% of the cases.

show abstract

“…ML application is challenging. In recent years, machine learning (ML) has emerged as a promising solution for obtaining insights into attacker behavior [6,9,11,12]. ML application requires that the following three challenges be addressed:…”

Section: Motivation and Related Workmentioning

confidence: 99%

Enabling Visual Analytics via Alert-driven Attack Graphs

Nadeem

Verwer

Moskal

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Attack graphs (AG) are a popular area of research that display all the paths an attacker can exploit to penetrate a network. Existing techniques for AG generation rely heavily on expert input regarding vulnerabilities and network topology. In this work, we advocate the use of AGs that are built directly using the actions observed through intrusion alerts, without prior expert input. We have developed an unsupervised visual analytics system, called SAGE, to learn alert-driven attack graphs. We show how these AGs (i) enable forensic analysis of prior attacks, and (ii) enable proactive defense by providing relevant threat intelligence regarding attacker strategies. We believe that alert-driven AGs can play a key role in AI-enabled cyber threat intelligence as they open up new avenues for attacker strategy analysis whilst reducing analyst workload. CCS CONCEPTS• Human-centered computing → Visualization; • Security and privacy → Intrusion detection systems; • Computing methodologies → Unsupervised learning.

show abstract

OMMA: open architecture for Operator-guided Monitoring of Multi-step Attacks

Cited by 11 publications

References 36 publications

A systematic literature review for APT detection and Effective Cyber Situational Awareness (ECSA) conceptual model

A systematic literature review for APT detection and Effective Cyber Situational Awareness (ECSA) conceptual model

Alert-driven Attack Graph Generation using S-PDFA

Enabling Visual Analytics via Alert-driven Attack Graphs

Contact Info

Product

Resources

About