Abstract
Detecting multi-stage cyber-attacks remains a challenge for any security analyst working in large corporate environments. Conventional security solutions such as intrusion detection systems tend to report huge amount of alerts that still need to be examined and cross-checked with other available data in order to eliminate false positives and identify any legitimate attacks. Attack patterns can be used as a means to describe causal relationships between the events detected at different stages of an attack. In this paper, we introduce an agent-based system that collects relevant event data from various sources in the network, and then correlates the events according to predefined attack patterns. The system allows security analysts to formulate the attack patterns based on their own knowledge and experience, and test them on available datasets. We present an example attack pattern for discovering suspicious activities in the network following a potential brute force attack on one of the servers. We discuss the results produced by our prototype implementation and show how a security analyst can drill down further into the data to identify the victim and obtain information about the attack methods.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alnas, M., Hanashi, A.M., Laias, E.M.: Detection of Botnet multi-stage attack by using alert correlation model. Int. J. Eng. Sci. IJES 2(10), 24–34 (2013)
Alserhani, F., Akhlaq, M., Awan, I.U., Cullen, A.J., Mirchandani, P.: MARS: multi-stage attack recognition system. In: Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications, Perth, WA (2010)
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC (2002)
Barnum, S.: An introduction to attack patterns as a software assurance knowledge resource. In: OMG Software Assurance Workshop, Fairfax, VA (2007)
Bhatt, P., Yano, E.T., Gustavsson, P.M.: Towards a framework to detect multi-stage advanced persistent threats attacks. In: Proceedings of the IEEE 8th International Symposium on Service Oriented System Engineering, Oxford, UK (2014)
C3ISP – Collaborative and Confidential Information Sharing and Analysis for Cyber Protection Project Homepage. http://c3isp.eu. Accessed 17 Aug 2017
CAPEC – Common Attack Pattern Enumeration and Classification Homepage. http://capec.mitre.org. Accessed 17 Aug 2017
Capture files from Mid-Atlantic CCDC (Collegiate Cyber Defense Competition) - MACCDC 2012. https://www.netresec.com/?page=MACCDC. Accessed 07 Aug 2017
Cheung, S., Lindqvist, U., Fong, M.W.: Modelling multistep cyber attacks for scenario recognition. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition, DISCEX III, Washington, DC, vol. 1 (2003)
Clark, D.D., Landau, S.: The problem isn’t attribution; it’s multi-stage attacks. In: Proceedings of the Re-Architecting the Internet Workshop, Philadelphia, US. ACM (2010)
Hutchins, E., Cloppert, M., Amin, R.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Proceedings of the 6th International Conference on Information Warfare and Security, Washington, DC (2011)
Herwono, I., El-Moussa, F.: A collaborative tool for modelling multi-stage attacks. In: Camp, O., Mori, P., Furnell, S. (eds.) Proceedings of the 3rd International Conference on Information Systems Security and Privacy, pp. 312–317 (2017)
Scarabeo, N., Fung, B.C.M., Khokhar, R.H.: Mining known attack patterns from security-related events. PeerJ Comput. Sci. 1, e25 (2015)
Sood, A.K., Enbody, R.J.: Targeted cyber attacks: a superset of advanced persistent threats. Secur. Priv. 11(1), 54–61 (2013)
Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29(15), 2917–2933 (2006)
Acknowledgments
This work was partially supported by the H2020 EU-funded project Collaborative and Confidential Information Sharing and Analysis for Cyber Protection, C3ISP [GA #700294]. The views expressed in this paper are solely those of the authors and do not necessarily represent the views of their employers, the C3ISP project, or the Commission of the European Union.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Herwono, I., El-Moussa, F.A. (2018). A System for Detecting Targeted Cyber-Attacks Using Attack Patterns. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2017. Communications in Computer and Information Science, vol 867. Springer, Cham. https://doi.org/10.1007/978-3-319-93354-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-93354-2_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93353-5
Online ISBN: 978-3-319-93354-2
eBook Packages: Computer ScienceComputer Science (R0)