MAAC: Novel Alert Correlation Method To Detect Multi-step Attack

TL;DR

MAAC is a new alert correlation system that significantly reduces false positives and helps detect multi-step cyber attacks by analyzing alert semantics and attack stages, improving security monitoring efficiency.

Contribution

The paper introduces MAAC, a novel alert correlation method that effectively consolidates alerts and uncovers attack paths in complex multi-stage cyber attacks.

Findings

Reduces alert volume by 90% in real-world datasets

Successfully identifies attack paths from large alert sets

Enhances detection of multi-step attacks

Abstract

With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90\% and find attack paths from a large number of alerts.