Skip to main content
SpringerLink
Log in

Discovering Novel Attack Strategies from Infosec Alerts

  • Chapter
Data Warehousing and Data Mining Techniques for Cyber Security

Part of the book series: Advances in Information Security ((ADIS,volume 31))

Abstract

Deploying a large number of information security (INFOSEC) systems can provide in-depth protection for systems and networks. However, the sheer number of security alerts output by security sensors can overwhelm security analysts and keep them from performing effective analysis and initiating timely response. Therefore, it is important to develop an advanced alert correlation system that can reduce alarm redundancy, intelligently correlate security alerts and detect attack strategies. Alert correlation is therefore a core component of a security management system.

Correlating security alerts and discovering attack strategies are important and challenging tasks for security analysts. Recently, there have been several proposed techniques to analyze attack scenarios from security alerts. However, most of these approaches depend on a priori and hard-coded domain knowledge that lead to their limited capabilities of detecting new attack strategies. In addition, these approaches focus more on the aggregation and analysis of raw security alerts, and build basic or low-level attack scenarios.

This paper focuses on discovering novel attack strategies via analysis of security alerts. Our integrated alert correlation system helps security administrator aggregate redundant alerts, filter out unrelated attacks, correlate security alerts and analyze attack scenarios.

Our integrated correlation system consists of three complementary correlation mechanisms based on two hypotheses of attack step relationship. The first hypothesis is that some attack steps are directly related because an earlier attack enables or positively affects the later one. We have developed a probabilistic-based correlation engine that incorporates domain knowledge to correlate alerts with direct causal relationship. The second hypothesis is that some related attack steps, even though they do not have obvious or direct (or known) relationship in terms of security and performance measures, still exhibit statistical and temporal patterns. For this category of relationship, we have developed two correlation engines to discover attack transition patterns based on statistical analysis and temporal pattern analysis, respectively. Based on the correlation results of these three correlation engines, we construct attack scenarios and conduct attack path analysis. The security analysts are presented with aggregated information on attack strategies from the integrated correlation system.

We evaluate our approaches using DARPA’s Grand Challenge Problem (GCP) data sets. Our evaluation shows that our approach can effectively discover novel attack strategies, provide a quantitative analysis of attack scenarios and identify attack plans.

The work was done when the author was at College of Computing at Georgia Institute of Technology.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. E. Bauer, D. Koller, and Y. Singer. Update rules for parameter estimation in Bayesian networks. In Proceedings of the Thirteenth Conference on Uncertainty in Artificial Intelligence (UAI), pages 3–13, Providence, RI, August 1997.

    Google Scholar 

  2. J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, and R.K. Mehra. Proactive intrusion detection and distributed denial of service attacks-a case study in security management. Journal of Network and Systems Management, vol. 10 (no.2), June 2002.

    Google Scholar 

  3. J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K. Prasanth, B. Ravichandran, and R. K. Mehra. Proactive detection of distributed denial of service attacks using mib traffic variables-a feasibility study. In Proceedings of IFIP/IEEE International Symposium on Integrated Network Management (IM 2001), May 2001.

    Google Scholar 

  4. J. B. D. Cabrera and R. K. Mehra. Extracting precursor rules from time series-a classical statistical viewpoint. In Proceedings of the Second SIAM International Conference on Data Mining, pages 213–228, Arlington, VA, USA, April 2002.

    Google Scholar 

  5. P. E. Caines and C. W. Chan. Feedback between stationary stastic process. IEEE Transactions on Automatic Control, 20:495–508, 1975.

    Article  MathSciNet  Google Scholar 

  6. J. Cheng, R. Greiner, J. Kelly, D. Bell, and W. Liu. Learning bayesian networks from data: An information-theory based approach. Artificial Intelligence, vol. 137:43–90, 2002.

    Article  MATH  MathSciNet  Google Scholar 

  7. S. Cheung, U. Lindqvist, and M. W. Fong. Modeling multistep cyber attacks for scenario recognition. In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C., April 2003.

    Google Scholar 

  8. R. V. Chitturi. Distribution of residual autocorrelations in multiple autoregressive schemes. Journal of American Statistician Association, 69:928–934, 1974.

    Article  MATH  MathSciNet  Google Scholar 

  9. I. Cohen, A. Bronstein, and F. G. Cozman. Online learning of bayesian network parameters. Hewlett Packard Laboratories Technical Report, HPL-2001-55(R.1), June 2001.

    Google Scholar 

  10. G. F. Cooper and E. Herskovits. A bayesian method for constructing bayesian belief networks from databases. In Proceedings of the Seventh Conference on Uncertainty in Artificial Intelligence, 1991.

    Google Scholar 

  11. T. Cover and J. Thomas. Elements of Information Theory, John Wiley, 1991.

    Google Scholar 

  12. F. Cuppens and A. Miège. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 202–215, Oakland, CA, May 2002.

    Google Scholar 

  13. DAPRA Cyber Panel Program. DARPA cyber panel program grand challenge problem (GCP). http://www.grandchallengeproblem.net/, 2003.

    Google Scholar 

  14. H. Debar and A. Wespi. The intrusion-detection console correlation mechanism. In 4th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2001.

    Google Scholar 

  15. D. A. Dickey and W. A. Fuller. Distribution of the estimators for autoregressive time series with a unit root. Journal of American Statistician Association, 74:427–431, 1979.

    Article  MATH  MathSciNet  Google Scholar 

  16. N. Friedman, I. Nachman, and D. Peer. Learning bayesian network structure from massive datasets: The sparse candidate algorithm. In Proceedings of the 15th Conference on Uncertainty in Artificial Intelligence, 1999.

    Google Scholar 

  17. C. W. Geib and R. P. Goldman. Plan recognition in intrusion detection system. In DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001.

    Google Scholar 

  18. M. R. Gevers and B. D. O. Anderson. Representations of jointly stationary stochastic feedback processes. International Journal of Control, 33:777–809, 1981.

    MATH  MathSciNet  Google Scholar 

  19. R. P. Goldman, W. Heimerdinger, and S. A. Harp. Information modeling for intrusion report aggregation. In DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001.

    Google Scholar 

  20. C. W. J. Granger. Investigating causal relations by econometric methods and cross-spectral methods. Econometrica, 34:424–428, 1969.

    Article  Google Scholar 

  21. IETF Intrusion Detection Working Group. Intrusion detection message exchange format. http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-09.txt, 2002.

    Google Scholar 

  22. J. Haines, D. K. Ryder, L. Tinnel, and S. Taylor. Validation of sensor alert correlators. IEEE Security & Privacy Magazine, January/February, 2003.

    Google Scholar 

  23. J. Hamilton. Time Series Analysis. Princeton University Press, 1994.

    Google Scholar 

  24. A. J. Hayter. Probability and Statistics for Engineers and Scientists. Duxbury Press, 2002.

    Google Scholar 

  25. D. Heckerman, C. Meek, and G. F. Cooper, A bayesian approach to causal discovery. In Book of Computation, Causation, and Discovery, C. Glymour and G. Cooper, editors. MIT Press, 1999.

    Google Scholar 

  26. W. Hesse, E. Moller, M. Arnold, H. Witte, and B. Schack. Investigation of time-variant causal interactions between two eeg signals by means of the adaptive granger causality. Brain Topography, 15:265–266, 2003.

    Google Scholar 

  27. J. R. M. Hosking. Lagrange multiplier tests of multivariate time series models. Journal of The Royal Statistical Society Series B, 43:219–230, 1981.

    MATH  MathSciNet  Google Scholar 

  28. G. Jakobson and M. Weissman. Real-time telecommunication network management: Extending event correlation with temporal constraints. In Proceedings of (he Fourth IFIP/IEEE International Symposium on Integrated Network Management (IM 1995), May 1995.

    Google Scholar 

  29. S. Johansen. Statistical analysis of co-integration vectors. Journal of Economic Dynamics and Control, 1:321–346, 1988.

    MathSciNet  Google Scholar 

  30. K. Julisch and M. Dacier. Mining intrusion detection alarms for actionable knowledge. In The 8th ACM International Conference on Knowledge Discovery and Data Mining, July 2002.

    Google Scholar 

  31. M. Kaminski, M. Ding, W. A. Truccolo, and S. L. Bressler. Evaluating causal relations in neural systems: Granger causality, direct transfer function (dtf) and statistical assessment of significance. Biological Cybernetics, 85:145–157, 2001.

    Article  MATH  Google Scholar 

  32. R. K. Kaufamnn and D. I. Stern. Evidence for human influence on climate from hemispheric temperature relations. Nature, 388:39–44, July 1997.

    Article  Google Scholar 

  33. S. Kliger, S. Yemini, Y. Yemini, D. Oshie, and S. Stolfo. A coding approach to event correlations. In Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management, May 1995.

    Google Scholar 

  34. C. Krugel, T. Toth, and C. Kerer. Decentralized event correlation for intrusion detection. In Proceedings of the 4th International Conference on Information Security and Cryptology, 2001.

    Google Scholar 

  35. H. Lee, K. S. Lin, and J. Wu. Pitfalls in using granger causality tests to find an engine of growth. Applied Economics Letters, 9:411–414, May 2002.

    Article  Google Scholar 

  36. L. Lewis. A case-based reasoning approach to the management of faults in communication networks. In Proceedings of the IEEE INFOCOM, 1993.

    Google Scholar 

  37. G. M. Ljung and G. E. P. Box. On a measure of lack of fit in time series models. In Biometrika 65, pages 297–303, 1978.

    Google Scholar 

  38. B. Morin and H. Debar. Correlation of intrusion symptoms: an application of chronicles. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, September 2003.

    Google Scholar 

  39. P. Ning, Y. Cui, and D. S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. In 9th ACM Conference on Computer and Communications Security, November 2002.

    Google Scholar 

  40. P. Ning and D. Xu. Learnign attack strategies from intrusion alerts. In Proceedings of 10th ACM Conference on Computer and Communications Security (CCS’03), October 2003.

    Google Scholar 

  41. P. Ning, D. Xu, C.G. Healey, and R. A. Amant. Building attack scenarios through integration of complementary alert correlation methods. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS’04), San Diego, CA, February 2004.

    Google Scholar 

  42. Y. A. Nygate. Event correlation using rule and object based techniques. In Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management, May 1995

    Google Scholar 

  43. J. Pearl. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann Publishers, Inc, 1988.

    Google Scholar 

  44. J. Pearl. Causality: Models, Reasoning, and Inference. Cambridge University Press, 2000.

    Google Scholar 

  45. P. A. Porras, M. W. Fong, and A. Valdes. A Mission-Impact-Based approach to INFOSEC alarm correlation. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.

    Google Scholar 

  46. X. Qin and W. Lee. Statistical causality analysis of INFOSEC alert data. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, September 2003.

    Google Scholar 

  47. X. Qin and W. Lee. Attack plan recognition and prediction using causal networks. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), Tucson, AZ, December 2004.

    Google Scholar 

  48. X. Qin and W. Lee. Discovering novel attack strategies from INFOSEC alerts. In Proceedings of the 9th European Symposium on Research in Computer Security, Sophia Antipolis, France, September 2004.

    Google Scholar 

  49. S.M. Ross. Introduction to Probability Models. Harcourt Academic Press, 7th edition, 2000.

    Google Scholar 

  50. P. Spirtes, C. Glymour, and R. Scheines. Causation, Prediction, and Search. Springer-Verlag NY, Inc., 1993.

    Google Scholar 

  51. W. Stallings. SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-Wesley, 1999.

    Google Scholar 

  52. A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2001.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Cisco Systems, Inc., 210 West Tasman Dr., San Jose, CA

    Xinzhou Qin

  2. College of Computing, Georgia Institute of Technology, Atlanta, GA, 30332

    Wenke Lee

Authors
  1. Xinzhou Qin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wenke Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer Science+Business Media, LLC

About this chapter

Cite this chapter

Qin, X., Lee, W. (2007). Discovering Novel Attack Strategies from Infosec Alerts. In: Data Warehousing and Data Mining Techniques for Cyber Security. Advances in Information Security, vol 31. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-47653-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-47653-7_7

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-26409-7

  • Online ISBN: 978-0-387-47653-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation