# Efficient Attack Correlation and Identification of Attack Scenarios   based on Network-Motifs

**Authors:** Steffen Haas, Florian Wilkens, Mathias Fischer

arXiv: 1905.06685 · 2020-03-13

## TL;DR

This paper introduces a network-motif based method for correlating and identifying attack scenarios in intrusion detection data, achieving high accuracy and significant data reduction.

## Contribution

It presents a novel motif-based graph approach for attack correlation that efficiently characterizes and identifies known and unknown attack scenarios.

## Key findings

- Classifies up to 96% of attacks correctly
- Reduces data size to 1% of original
- Reliable detection of attack variations

## Abstract

An Intrusion Detection System (IDS) to secure computer networks reports indicators for an attack as alerts. However, every attack can result in a multitude of IDS alerts that need to be correlated to see the full picture of the attack. In this paper, we present a correlation approach that transforms clusters of alerts into a graph structure on which we compute signatures of network motifs to characterize these clusters. A motif representation of attack characteristics is magnitudes smaller than the original alert data, but still allows to efficiently compare and correlate attacks with each other and with reference signatures. This allows not only to identify known attack scenarios, e.g., DDoS, scan, and worm attacks, but also to derive new reference signatures for unknown scenarios. Our results indicate a reliable identification of scenarios, even when attacks differ in size and at least slightly in their characteristics. Applied on real-world alert data, our approach can classify and assign attack scenarios of up to 96% of all attacks and can represent their characteristics using 1% of the size of the full alert data.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.06685/full.md

## Figures

14 figures with captions in the complete paper: https://tomesphere.com/paper/1905.06685/full.md

## References

20 references — full list in the complete paper: https://tomesphere.com/paper/1905.06685/full.md

---
Source: https://tomesphere.com/paper/1905.06685