Causal knowledge analysis for detecting and modeling multi‐step attacks

Causal knowledge analysis for detecting and modeling multi‐step attacks In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers' malicious activities. Intrusion detection systems, as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the intrusion detection systems clearly reflect the need for a novel proactive alert correlation framework to reduce redundant alerts, correlate security incidents, discover and model multi‐step attack scenarios, and track them. Several alert correlation frameworks have been proposed in the literature, but the majority of them address the alert correlation in the offline settings. In this paper, we propose a three‐phase alert correlation framework, which processes the generated alerts in real time, correlates the alerts with the aid of causal knowledge discovery to automatically extract causal relationships between alerts, constructs the attack scenarios using the Bayesian network concept, and predicts the next goal of the attacks using the creating attack prediction rules. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi‐step attack scenarios without using any predefined knowledge. The results also show that the proposed framework perfectly estimates complex attacks before they can damage the assets of the network. Copyright © 2017 John Wiley & Sons, Ltd. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Security and Communication Networks Wiley

Causal knowledge analysis for detecting and modeling multi‐step attacks

Loading next page...
 
/lp/wiley/causal-knowledge-analysis-for-detecting-and-modeling-multi-step-0MlMJfiMXK
Publisher
Wiley Subscription Services, Inc., A Wiley Company
Copyright
Copyright © 2016 John Wiley & Sons, Ltd.
ISSN
1939-0114
eISSN
1939-0122
D.O.I.
10.1002/sec.1756
Publisher site
See Article on Publisher Site

Abstract

In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers' malicious activities. Intrusion detection systems, as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the intrusion detection systems clearly reflect the need for a novel proactive alert correlation framework to reduce redundant alerts, correlate security incidents, discover and model multi‐step attack scenarios, and track them. Several alert correlation frameworks have been proposed in the literature, but the majority of them address the alert correlation in the offline settings. In this paper, we propose a three‐phase alert correlation framework, which processes the generated alerts in real time, correlates the alerts with the aid of causal knowledge discovery to automatically extract causal relationships between alerts, constructs the attack scenarios using the Bayesian network concept, and predicts the next goal of the attacks using the creating attack prediction rules. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi‐step attack scenarios without using any predefined knowledge. The results also show that the proposed framework perfectly estimates complex attacks before they can damage the assets of the network. Copyright © 2017 John Wiley & Sons, Ltd.

Journal

Security and Communication NetworksWiley

Published: Dec 1, 2016

Keywords: ; ; ; ;

References

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off