Automatic attack scenario discovering based on a new alert correlation method

In recent years, many approaches for correlating alerts and discovering attack scenarios have been proposed. However, most of them have difficulties such as high dependency to predefined correlation rule definitions and domain knowledge, huge volume of computing workload in some cases and limited capability in discovering new attack scenarios. Therefore, in this paper, we proposed a new alert correlation method to automatically extract multi-step attack scenarios. This method works based on a multi-phase process which acts on the IDS generated alerts. In normalization phase, alerts are turned to the form that can be easily processed by the proposed system. In alert Winnowing phase, for each alert is determined that it belongs to which alert sequence or attack scenario. After determining alerts scenarios, for each scenario its sub scenarios and Meta alerts are extracted. Finally, from the produced Meta alerts, the multi-step attack graph is constructed for each attack scenario. We evaluate our approach using DARPA 2000 data sets. Our experiments show our approach can effectively construct multi-step attack scenarios and give high level view of intruder intentions.