An Effective Attack Scenario Construction Model based on Attack Steps and Stages Identification

TL;DR

This paper presents a new attack scenario construction model that improves alert correlation accuracy in network intrusion detection by identifying complete relationships among alerts, tested on DARPA 2000 and ISCX2012 datasets.

Contribution

The paper introduces an effective attack scenario construction model that enhances alert correlation accuracy by discovering complete relationships among alerts, addressing false and incomplete correlations.

Findings

Model achieves high completeness and soundness in alert correlation

Successfully tested on DARPA 2000 and ISCX2012 datasets

Improves attack scenario reconstruction accuracy

Abstract

A Network Intrusion Detection System (NIDS) is a network security technology for detecting intruder attacks. However, it produces a great amount of low-level alerts which makes the analysis difficult, especially to construct the attack scenarios. Attack scenario construction (ASC) via Alert Correlation (AC) is important to reveal the strategy of attack in terms of steps and stages that need to be launched to make the attack successful. In most of the existing works, alerts are correlated by classifying the alerts based on the cause-effect relationship. However, the drawback of these works is the identification of false and incomplete correlations due to the infiltration of raw alerts. To address this problem, this work proposes an effective ASC model to discover the complete relationship among alerts. The model is successfully experimented using two types of datasets, which are DARPA 2000, and ISCX2012. The Completeness and Soundness of the proposed model are measured to evaluate the overall correlation effectiveness.