Jie Lei,Zhi-Tang Li

DOI: https://doi.org/10.1109/chinacom.2007.4469413

2007-01-01

Abstract:An intrusion detection system (IDS) generates alerts indicating what malicious behaviors are going on against the protected network system. When comparing the real-time reported IDS alerts with the network attack graph which provides all possible sequences of exploits that an intruder may use to penetrate the system, some prediction on future attacks can be made. In this paper we proposed a novel approach to predicting future attacks. First an attack graph is generated through data mining and the predictability of every attack scenario which represents how probable there would be oncoming attacks following the attack scenario can be estimated. Then in real-time intrusion detection environment the IDS alerts are correlated into attack scenarios and ranked by their predictability scores. Finally the attack scenarios with high predictability are used as the evidence to make prediction on future attacks. The effectiveness of the approach has been validated with a honeynet system.

Xu Jinghu,Li Aiping,Zhao Hui,Yin Hong

DOI: https://doi.org/10.1109/iccsnt.2012.6525959

2012-01-01

Abstract:One fundamental challenge for Alert Correlation(AC) is to learn attack strategies. Attack graph is one of the most commonly used models to describe attack patterns(strategies), however, attack graph generating technology is far from practical. There are two general approaches to generate attack graphs. The first uses graph based search technology to find the paths of possible attacks, such as model checking, assumes that the premises and consequences of the attacks are known. And the other makes use of statistical method, such as frequent sequence mining, try to find the relationship of attacks in the dimension of time. In this paper, we proposed a graph mining based approach to discover attack patterns for attack graph generating. Firstly, we propose a new structure ECG, and transform sequential events into ECG, in which their time sequential and space relations is reserved. Moreover, we propose a DAG mining algorithm to discovery the frequent graph patterns from the ECG, and finally transform the graph patterns into attack graph. Different to existing methods, our method finds relationship of attacks in the dimension of both time and space, so that it can detect attacks more concisely. The effectiveness and efficiency of the approach is validated by DARPA 1999, 2000 intrusion detection evaluation datasets. As far as we know, this is the first time to discover knowledge of attack based on graph mining.

Wang Li,Li Zhi-tang,Lei Jie

DOI: https://doi.org/10.1109/INM.2007.374834

2007-01-01

Abstract:Huge volume of security data from different security devices can overwhelm security managers and keep them from performing effective analysis and initiating timely response. Therefore, it is important to develop an advanced alert correlation system that can reduce alert redundancy, intelligently correlate security alerts and detect attack strategies. In this paper, we proposed a new method of mining multi-stage attack behaviors pattern in order to recognize attacker's high-level strategies and predict upcoming attack intentions. We apply a reformative Apriori algorithm to mine frequent attack sequence patterns from history alert data. We use correlativity between two contextual elements in the attack sequence to correlate attack behaviors and identify potential attack intentions. The idea is easy to implement and it can be used to detect novel multi-stage attack strategies compared with other techniques. Experiments show that our approach can effectively learn high level attack strategies and can accordingly predict next possible attack behavior.

Zhitang Li,Aifang Zhang,Dong Li,Li Wang

DOI: https://doi.org/10.1007/978-3-540-73871-8_6

2007-01-01

Abstract:In monitoring anomalous network activities, intrusion detection systems tend to generate a large amount of alerts, which greatly increase the workload of post-detection analysis and decision-making. A system to detect the ongoing attacks and predict the upcoming next step of a multistage attack in alert streams by using known attack patterns can effectively solve this problem. The complete, correct and up to date pattern rule of various network attack activities plays an important role in such a system. An approach based on sequential pattern mining technique to discover multistage attack activity patterns is efficient to reduce the labor to construct pattern rules. But in a dynamic network environment where novel attack strategies appear continuously, the novel approach that we propose to use incremental mining algorithm shows better capability to detect recently appeared attack. In order to improve the correctness of results and shorten the running time of the mining algorithms, the directed graph is presented to restrict the scope of data queried in mining phase, which is especially useful in incremental mining. Finally, we remove the unexpected results from mining by computing probabilistic score between successive steps in a multistage attack pattern. A series of experiments show the validity of the methods in this paper.

Zhi-tang Li,Jie Lei,Li Wang,Dong Li

DOI: https://doi.org/10.1109/nas.2007.15

2007-01-01

Abstract:In this paper a novel approach to assessing the threat of network intrusions is proposed. Unlike the present approaches which assess the attack threat either from a backward perspective (how probable a security state can be reached) or from the perspective of the attacks themselves (how much an attack would cause damage to the network), this approach assesses the attack threat from a forwarding perspective (how probable it would be the precursor of future attacks). First, to every attack type and some attack scenarios, their probabilities of having following attacks(PFAs) are calculated by a data mining algorithm. Then the threats of real time intrusions are assessed by these probabilities. The result of the threat assessment can help identify the intrusion alerts which would be the best evidence for the coming attacks from tremendous amount of intrusion alerts, thus this approach can be used for intrusion prediction. The approach is validated by DARPA 2000 and DARPA 1999 intrusion detection evaluation datasets.

DOI: https://doi.org/10.36652/0869-4931-2024-78-5-230-234

2024-01-01

Abstract:Attack graphs are a popular area of research that display all the paths an trespasser can take to penetrate a network. Existing graph generation methods rely heavily on expert opinion regarding network vulnerabilities and topology. An intrusion detection system based on graph-directed analytics of the big data analytics, which is based on machine learning, is proposed, which made it possible to obtain good accuracy results and a high level of attack detection during its testing. Keywords attack, graph, detection, machine learning, network

Rahul Chandran,Wei Q. Yan

DOI: https://doi.org/10.4018/ijdcf.2014010103

2014-01-01

International Journal of Digital Crime and Forensics

Abstract:The development of technology in computer networks has boosted the percentage of cyber-attacks today. Hackers are now able to penetrate even the strongest IDS and firewalls. With the help of anti-forensic techniques, attackers defend themselves, from being tracked by destroying and distorting evidences. To detect and prevent network attacks, the main modus of operandi in network forensics is the successful implementation and analysis of attack graph from gathered evidences. This paper conveys the main concepts of attack graphs, requirements for modeling and implementation of graphs. It also contributes the aspect of incorporation of anti-forensic techniques in attack graph which will help in analysis of the diverse possibilities of attack path deviations and thus aids in recommendation of various defense strategies for better security. To the best of our knowledge, this is the first time network anti-forensics has been fully discussed and the attack graphs are employed to analyze the network attacks. The experimental analysis of anti-forensic techniques using attack graphs were conducted in the proposed test-bed which helped to evaluate the model proposed and suggests preventive measures for the improvement of security of the networks.

Shaojun Zhang,Jianhua Li,Xiuzhen Chen,Lei Fan

DOI: https://doi.org/10.1109/chinacom.2008.4685009

2008-01-01

Abstract:Most network administrators have got the unpleasant experience of being overwhelmed by tremendous unstructured network security alerts produced by heterogeneous network devices. To date, various approaches have been proposed to correlate security alerts, including the adoption of network attack graphs to clarify their causal relationship. However, there still lacks an operational method to generate attack graphs tailored for alert correlation, especially in large scale network environments. In this paper, we propose a kind of attack graph which can be built in polynomial time using an intuitive object-oriented method. Based on the graph, a criterion is given out to correlate security alerts into scenarios. As practice, a prototype system is implemented to testify the feasibility of the approaches.

Yuedong Pan,Lijun Cai,Tao Leng,Lixin Zhao,Jiangang Ma,Aimin Yu,Dan Meng

DOI: https://doi.org/10.1007/978-3-031-25538-0_27

2023-01-01

Abstract:In an enterprise environment, intrusion detection systems generate many threat alerts on anomalous events every day, and these alerts may involve certain steps of a long-dormant advanced persistent threat (APT). In this paper, we present AttackMiner, an attack detection framework that combines contextual information from audit logs. Our main observation is that the same attack behavior may occur in various possible contexts, and combining various possible contextual information can provide more effective information for detecting such attacks. We utilize a combination of provenance graph causal analysis and deep learning techniques to build a graph-structure-based model that builds key patterns of attack graphs and benign graphs from audit logs. During detection, the detection system creates provenance graphs using the input audit logs. After being optimized by our customized graph optimization mechanism, it identifies whether an attack has occurred. Our evaluations on the DARPA TC dataset show that AttackMiner can successfully detect attack behaviors with high accuracy and efficiency. Through this effort, we provide security investigators with a new approach of identifying attack activity from audit logs.

Wang Li,Li Zhi-tang,Lei Jie,Li Yao

DOI: https://doi.org/10.1109/icebe.2006.9

2006-01-01

Abstract:Large volume of security data can overwhelm security managers and keep them from performing effective analysis and initiating timely response. Therefore, it is important to develop an advanced alert correlation system to reduce alert redundancy, intelligently correlate security alerts and detect attack strategies. In our system, we introduced statistical filtering method in attack plan recognition. We apply statistical-based techniques to filter out separated and scattered attack behavior and mining frequent attack sequence patterns from the remainder. We use correlativity between two elements in frequent attack sequences to correlate the attack behavior and identify potential attack intentions based on it. We evaluate our approaches using DARPA 2000 data sets. The experiment shows that our approach can effectively discover attack scenarios in reality, provide a quantitative analysis of attack scenarios

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

shaojun zhang,lan li,jianhua li,shanshan song,xiuzhen chen

DOI: https://doi.org/10.1109/CHINACOM.2009.5339841

2009-01-01

Abstract:Network attack graphs are originally used to evaluate what the worst security state will be if a network is under attack. Along with observed intrusion evidences, we can further use attack graphs to extrapolate the current security state of a concerned network. Methods have been proposed in recent years to use observed intrusion evidences to compute the node belief metric of network attack graphs. However, these methods suffer either from low model generality, high computational complexity or immoderate dependence on empirical formulas. To overcome these obstacles, we improve one of the Bayesian network inference algorithms - the likelihood weighting algorithm into a novel node belief metric computation method. Experiment results show our method can achieve high computational accuracy in linear computational complexity, a feature making it feasible to be used to process large scale network attack graphs in real-time.

Anming Xie,Guodong Chen,Yonggang Wang,Zhong Chen,Jianbin Hu

2009-01-01

Abstract:To address the scalability problem in attack graphs generation, we propose a novel method to generate attack graphs automatically. Our approach constructs a two- tier attack graph framework, which includes a host access graph and some sub-attack graphs .A sub-attack graph describes concrete attack scenarios from one source host to one target host, while the host access graph describes the attacker's privilege transition among hosts. Our sub-attack graphs and host access graph have remarkable smaller scales and can help network administrators to find the key hosts in attack sequences. Analysis shows that the upper bound computational cost of our model is O(N 3 ), which could also be competed in real time. The following experiment validates our approach. Keywords-network security; attack graphs; host access graph; sub-attack graph; I. INTRODUCTION

Safaa O. Al-Mamory,Zhai Jianhong,Zhang Hongli

2008-01-01

Abstract:Building attack scenario is one of the most important aspects in network security. This paper proposed a system which collects intrusion alerts, clusters them as sub-attacks using alerts abstraction, aggregates the similar sub-attacks, and then correlates and generates correlation graphs. The scenarios were represented by alert classes instead of alerts themselves so as to reduce the required rules and have the ability of detecting new variations of attacks. The proposed system is capable of passing some of the missed attacks. To evaluate system effectiveness, it was tested with different datasets which contain multi-step attacks. Compressed and easily understandable correlation graphs which reflect attack scenarios were generated. The proposed system can correlate related alerts, uncover the attack strategies, and detect new variations of attacks.

Jianyi Liu,Bowen Liu,Ru Zhang,Cong Wang

DOI: https://doi.org/10.1007/978-3-030-24265-7_6

2019-01-01

Abstract:In order to find attack patterns from a large number of redundant alert logs, build multi-step attack scenarios, and eliminate the false alerts of the alert logs, this paper proposes a new multi-step attack scenario construction model, which is divided into two parts: offline mode and online mode. In the offline mode, the known real attack alert log is used to train the neural network for removing error alerts, and eventually to generate a Bayesian network attack graph by alert aggregation processing and causal association attack sequence. In the online mode, a large number of online alert logs are used to update the neural network and the Bayesian network attack graph generated by the previous offline mode, so that the iterative attack graph is more complete and accurate. In the end, we extract a variety of multi-step attack scenarios from the Bayesian network attack graph to achieve the purpose of eliminating false alerts in the redundant IDS alert logs. In order to verify the validity of the algorithm, we use the DARPA 2000 dataset to test, and the results show that the algorithm has higher accuracy.

Junyi Zhao,Tao Tang,Bing Bu,Qichang Li

DOI: https://doi.org/10.1049/cit2.12288

IF: 7.985

2024-01-01

CAAI Transactions on Intelligence Technology

Abstract:The Advanced Persistent Threats (APTs) have emerged as one of the key security challenges to industrial control systems. APTs are complex multi-step attacks, and they are naturally diverse and complex. Therefore, it is important to comprehend the behaviour of APT attackers and anticipate the upcoming attack actions. GNN-AP is proposed, a framework utilising an alert log to predict potential attack targets. Firstly, GNN-AP uses causality to eliminate confounding elements from the alert dataset and then uses an encoder-decoder model to reconstruct an attack scenario graph. Based on the chronological characteristics of APT attacks, GNN-AP identifies APT attack sequences from attack scenario graphs and integrates these attack sequences with communication-based train control (CBTC) devices topology information to construct an Attack-Target Graph. Based on the attack-target graph, a graph neural network approach is used to identify the attack intent and transforms the attack prediction problem into a link prediction problem that predicts the connected edges of the attack and target nodes. The simulation results obtained using DARPA data show that the proposed method can improve the comparison methods by 4% of accuracy in terms of prediction. Furthermore, the method was applied to the CBTC system dataset with a prediction accuracy of 88%, demonstrating the efficacy of the proposed method for industrial control systems.

Zhichao Hu,Xiangzhan Yu,Jiantao Shi,Lin Ye

DOI: https://doi.org/10.32604/cmc.2021.017574

2021-01-01

Abstract:With the continuous development of network technology, various large-scale cyber-attacks continue to emerge. These attacks pose a severe threat to the security of systems, networks, and data. Therefore, how to mine attack patterns from massive data and detect attacks are urgent problems. In this paper, an approach for attack mining and detection is proposed that performs tasks of alarm correlation, false-positive elimination, attack mining, and attack prediction. Based on the idea of CluStream, the proposed approach implements a flow clustering method and a two-step algorithm that guarantees efficient streaming and clustering. The context of an alarm in the attack chain is analyzed and the LightGBM method is used to perform false-positive recognition with high accuracy. To accelerate the search for the filtered alarm sequence data to mine attack patterns, the PrefixSpan algorithm is also updated in the store strategy. The updated PrefixSpan increases the processing efficiency and achieves a better result than the original one in experiments. With Bayesian theory, the transition probability for the sequence pattern string is calculated and the alarm transition probability table constructed to draw the attack graph. Finally, a long-short-term memory network and embedding word-vector method are used to perform online prediction. Results of numerical experiments show that the method proposed in this paper has a strong practical value for attack detection and prediction.

Shaojun Zhang,Jianhua Li,Xiuzhen Chen,Lei Fan

DOI: https://doi.org/10.1016/j.cose.2008.05.005

IF: 5.105

2008-01-01

Computers & Security

Abstract:Most network administrators have got unpleasant experience of being overwhelmed by tremendous unstructured network security alerts produced by heterogeneous devices. To date, various approaches have been proposed to correlate security alerts, including the adoption of attack graphs to clarify their causal relationship. However, there still lacks an efficient and operational method to generate attack graphs tailored to alert causal correlation. In this paper, we propose a kind of ''one-step worst'' attack graph which can be built in polynomial time using an intuitive object-oriented method. Based on the graph, a principle is given out to correlate security alerts into scenarios. To prove its feasibility, we implemented a prototype system which can efficiently divide real-time alert streams into plausible attack scenarios.

Yuzhong Chen,Zhenyu Liu,Yulin Liu,Chen Dong

DOI: https://doi.org/10.3390/e22091026

IF: 2.738

2020-01-01

Entropy

Abstract:Attack graph modeling aims to generate attack models by investigating attack behaviors recorded in intrusion alerts raised in network security devices. Attack models can help network security administrators discover an attack strategy that intruders use to compromise the network and implement a timely response to security threats. However, the state-of-the-art algorithms for attack graph modeling are unable to obtain a high-level or global-oriented view of the attack strategy. To address the aforementioned issue, considering the similarity between attack behavior and workflow, we employ a heuristic process mining algorithm to generate the initial attack graph. Although the initial attack graphs generated by the heuristic process mining algorithm are complete, they are extremely complex for manual analysis. To improve their readability, we propose a graph segmentation algorithm to split a complex attack graph into multiple subgraphs while preserving the original structure. Furthermore, to handle massive volume alert data, we propose a distributed attack graph generation algorithm based on Hadoop MapReduce and a distributed attack graph segmentation algorithm based on Spark GraphX. Additionally, we conduct comprehensive experiments to validate the performance of the proposed algorithms. The experimental results demonstrate that the proposed algorithms achieve considerable improvement over comparative algorithms in terms of accuracy and efficiency.

Yu-Xin Ding,Hai-Sen Wang,Qing-Wei Liu

DOI: https://doi.org/10.1109/icmlc.2008.4620604

2008-01-01

Abstract:Traditional intrusion detection systems focus on low-level attacks, and only generate isolated alerts. They can't rind logical relations among alerts. In addition, IDS's accuracy is low, a lot of alerts are false alerts. So it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. To solve this problem different intrusion scenario detection methods are proposed. In this paper a data mining method is used to find the attack scenarios. Firstly redundancy alerts are checked and deleted, then attack scenario patterns are mined by using the associate-rule algorithms which is an improved Apriori algorithm. These mined scenario patterns are used to rind attack scenarios. In (his paper 1999 DARPA intrusion detection scenario specific datasets are used as the experimental data and the corresponding results are shown. Compared with current scenario detection methods which depend on human knowledge to define attack scenarios, our methods use data mining method to find the scenarios automatically. Our experimental results demonstrate the potential of the proposed method.