Causal knowledge analysis for detecting and modeling multi‐step attacks

Causal knowledge analysis for detecting and modeling multi‐step attacks In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers' malicious activities. Intrusion detection systems, as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the intrusion detection systems clearly reflect the need for a novel proactive alert correlation framework to reduce redundant alerts, correlate security incidents, discover and model multi‐step attack scenarios, and track them. Several alert correlation frameworks have been proposed in the literature, but the majority of them address the alert correlation in the offline settings. In this paper, we propose a three‐phase alert correlation framework, which processes the generated alerts in real time, correlates the alerts with the aid of causal knowledge discovery to automatically extract causal relationships between alerts, constructs the attack scenarios using the Bayesian network concept, and predicts the next goal of the attacks using the creating attack prediction rules. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi‐step attack scenarios without using any predefined knowledge. The results also show that the proposed framework perfectly estimates complex attacks before they can damage the assets of the network. Copyright © 2017 John Wiley & Sons, Ltd. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Security and Communication Networks Wiley

Causal knowledge analysis for detecting and modeling multi‐step attacks

Loading next page...
 
/lp/wiley/causal-knowledge-analysis-for-detecting-and-modeling-multi-step-0MlMJfiMXK
Publisher
Wiley Subscription Services, Inc., A Wiley Company
Copyright
Copyright © 2016 John Wiley & Sons, Ltd.
ISSN
1939-0114
eISSN
1939-0122
D.O.I.
10.1002/sec.1756
Publisher site
See Article on Publisher Site

Abstract

In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers' malicious activities. Intrusion detection systems, as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the intrusion detection systems clearly reflect the need for a novel proactive alert correlation framework to reduce redundant alerts, correlate security incidents, discover and model multi‐step attack scenarios, and track them. Several alert correlation frameworks have been proposed in the literature, but the majority of them address the alert correlation in the offline settings. In this paper, we propose a three‐phase alert correlation framework, which processes the generated alerts in real time, correlates the alerts with the aid of causal knowledge discovery to automatically extract causal relationships between alerts, constructs the attack scenarios using the Bayesian network concept, and predicts the next goal of the attacks using the creating attack prediction rules. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi‐step attack scenarios without using any predefined knowledge. The results also show that the proposed framework perfectly estimates complex attacks before they can damage the assets of the network. Copyright © 2017 John Wiley & Sons, Ltd.

Journal

Security and Communication NetworksWiley

Published: Dec 1, 2016

Keywords: ; ; ; ;

References

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 12 million articles from more than
10,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Unlimited reading

Read as many articles as you need. Full articles with original layout, charts and figures. Read online, from anywhere.

Stay up to date

Keep up with your field with Personalized Recommendations and Follow Journals to get automatic updates.

Organize your research

It’s easy to organize your research with our built-in tools.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve Freelancer

DeepDyve Pro

Price
FREE
$49/month

$360/year
Save searches from
Google Scholar,
PubMed
Create lists to
organize your research
Export lists, citations
Read DeepDyve articles
Abstract access only
Unlimited access to over
18 million full-text articles
Print
20 pages/month
PDF Discount
20% off