A System for Detecting Targeted Cyber-Attacks Using Attack Patterns

Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 867)


Detecting multi-stage cyber-attacks remains a challenge for any security analyst working in large corporate environments. Conventional security solutions such as intrusion detection systems tend to report huge amount of alerts that still need to be examined and cross-checked with other available data in order to eliminate false positives and identify any legitimate attacks. Attack patterns can be used as a means to describe causal relationships between the events detected at different stages of an attack. In this paper, we introduce an agent-based system that collects relevant event data from various sources in the network, and then correlates the events according to predefined attack patterns. The system allows security analysts to formulate the attack patterns based on their own knowledge and experience, and test them on available datasets. We present an example attack pattern for discovering suspicious activities in the network following a potential brute force attack on one of the servers. We discuss the results produced by our prototype implementation and show how a security analyst can drill down further into the data to identify the victim and obtain information about the attack methods.


Cyber security Attack patterns Knowledge sharing Visualization 



This work was partially supported by the H2020 EU-funded project Collaborative and Confidential Information Sharing and Analysis for Cyber Protection, C3ISP [GA #700294]. The views expressed in this paper are solely those of the authors and do not necessarily represent the views of their employers, the C3ISP project, or the Commission of the European Union.


  1. 1.
    Alnas, M., Hanashi, A.M., Laias, E.M.: Detection of Botnet multi-stage attack by using alert correlation model. Int. J. Eng. Sci. IJES 2(10), 24–34 (2013)Google Scholar
  2. 2.
    Alserhani, F., Akhlaq, M., Awan, I.U., Cullen, A.J., Mirchandani, P.: MARS: multi-stage attack recognition system. In: Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications, Perth, WA (2010)Google Scholar
  3. 3.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC (2002)Google Scholar
  4. 4.
    Barnum, S.: An introduction to attack patterns as a software assurance knowledge resource. In: OMG Software Assurance Workshop, Fairfax, VA (2007)Google Scholar
  5. 5.
    Bhatt, P., Yano, E.T., Gustavsson, P.M.: Towards a framework to detect multi-stage advanced persistent threats attacks. In: Proceedings of the IEEE 8th International Symposium on Service Oriented System Engineering, Oxford, UK (2014)Google Scholar
  6. 6.
    C3ISP – Collaborative and Confidential Information Sharing and Analysis for Cyber Protection Project Homepage. Accessed 17 Aug 2017
  7. 7.
    CAPEC – Common Attack Pattern Enumeration and Classification Homepage. Accessed 17 Aug 2017
  8. 8.
    Capture files from Mid-Atlantic CCDC (Collegiate Cyber Defense Competition) - MACCDC 2012. Accessed 07 Aug 2017
  9. 9.
    Cheung, S., Lindqvist, U., Fong, M.W.: Modelling multistep cyber attacks for scenario recognition. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition, DISCEX III, Washington, DC, vol. 1 (2003)Google Scholar
  10. 10.
    Clark, D.D., Landau, S.: The problem isn’t attribution; it’s multi-stage attacks. In: Proceedings of the Re-Architecting the Internet Workshop, Philadelphia, US. ACM (2010)Google Scholar
  11. 11.
    Hutchins, E., Cloppert, M., Amin, R.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Proceedings of the 6th International Conference on Information Warfare and Security, Washington, DC (2011)Google Scholar
  12. 12.
    Herwono, I., El-Moussa, F.: A collaborative tool for modelling multi-stage attacks. In: Camp, O., Mori, P., Furnell, S. (eds.) Proceedings of the 3rd International Conference on Information Systems Security and Privacy, pp. 312–317 (2017)Google Scholar
  13. 13.
    Scarabeo, N., Fung, B.C.M., Khokhar, R.H.: Mining known attack patterns from security-related events. PeerJ Comput. Sci. 1, e25 (2015)CrossRefGoogle Scholar
  14. 14.
    Sood, A.K., Enbody, R.J.: Targeted cyber attacks: a superset of advanced persistent threats. Secur. Priv. 11(1), 54–61 (2013)Google Scholar
  15. 15.
    Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29(15), 2917–2933 (2006)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Security Futures Practice, Research and Innovation, BTIpswichUK

Personalised recommendations