Causal knowledge analysis for detecting and modeling multi‐step attacks. Issue 18 (3rd February 2017)
- Record Type:
- Journal Article
- Title:
- Causal knowledge analysis for detecting and modeling multi‐step attacks. Issue 18 (3rd February 2017)
- Main Title:
- Causal knowledge analysis for detecting and modeling multi‐step attacks
- Authors:
- Ahmadian Ramaki, Ali
Rasoolzadegan, Abbas - Abstract:
- Abstract: In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers' malicious activities. Intrusion detection systems, as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the intrusion detection systems clearly reflect the need for a novel proactive alert correlation framework to reduce redundant alerts, correlate security incidents, discover and model multi‐step attack scenarios, and track them. Several alert correlation frameworks have been proposed in the literature, but the majority of them address the alert correlation in the offline settings. In this paper, we propose a three‐phase alert correlation framework, which processes the generated alerts in real time, correlates the alerts with the aid of causal knowledge discovery to automatically extract causal relationships between alerts, constructs the attack scenarios using the Bayesian network concept, and predicts the next goal of the attacks using the creating attack prediction rules. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi‐step attack scenarios without using any predefined knowledge. TheAbstract: In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers' malicious activities. Intrusion detection systems, as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the intrusion detection systems clearly reflect the need for a novel proactive alert correlation framework to reduce redundant alerts, correlate security incidents, discover and model multi‐step attack scenarios, and track them. Several alert correlation frameworks have been proposed in the literature, but the majority of them address the alert correlation in the offline settings. In this paper, we propose a three‐phase alert correlation framework, which processes the generated alerts in real time, correlates the alerts with the aid of causal knowledge discovery to automatically extract causal relationships between alerts, constructs the attack scenarios using the Bayesian network concept, and predicts the next goal of the attacks using the creating attack prediction rules. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi‐step attack scenarios without using any predefined knowledge. The results also show that the proposed framework perfectly estimates complex attacks before they can damage the assets of the network. Copyright © 2017 John Wiley & Sons, Ltd. Abstract : In this paper, we propose a three‐phase alert correlation (called 3PAC) framework, which processes intrusion detection systems (IDSs) alerts in real‐time, correlates the alerts with the aid of causal knowledge discovery, constructs the attack scenarios using the Bayesian network concept and predicts the next goal of the attacks. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi‐step attack scenarios in a proactive manner without using any predefined knowledge. … (more)
- Is Part Of:
- Security and communication networks. Volume 9:Issue 18(2016)
- Journal:
- Security and communication networks
- Issue:
- Volume 9:Issue 18(2016)
- Issue Display:
- Volume 9, Issue 18 (2016)
- Year:
- 2016
- Volume:
- 9
- Issue:
- 18
- Issue Sort Value:
- 2016-0009-0018-0000
- Page Start:
- 6042
- Page End:
- 6065
- Publication Date:
- 2017-02-03
- Subjects:
- network security -- intrusion detection system -- alert correlation -- attack prediction -- causal knowledge
Computer networks -- Security measures -- Periodicals
Computer security -- Periodicals
Cryptography -- Periodicals
005.805 - Journal URLs:
- http://onlinelibrary.wiley.com/journal/10.1002/(ISSN)1939-0122 ↗
https://www.hindawi.com/journals/scn/ ↗
http://onlinelibrary.wiley.com/ ↗ - DOI:
- 10.1002/sec.1756 ↗
- Languages:
- English
- ISSNs:
- 1939-0114
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library HMNTS - ELD Digital store
- Ingest File:
- 2083.xml