MARS: Multi-stage Attack Recognition System

Network Intrusion Detection Systems (NIDS) are considered as essential mechanisms to ensure reliable security. Intrusive model is used in signature-based NIDS by defining attack patterns and applying signature-matching on incoming traffic packets. Thousands of signatures and rules are created to specify different attacks and variations of a single attack. As a result, enormous data with less efficiency is produced that overwhelms the network administrator. Most of the generated alerts are false-positives; this is due to the redundancy caused by the detection techniques, and due to low-level processing capacity. Moreover, detection of novel and multi-stage attacks are not efficiently achieved by the current systems. Hence, high-level view of the attacker´s behaviour has become a stressing demand. Alerts correlation techniques have been widely used to provide intelligent and stateful detection methodologies. This is to understand attack steps and predict the expected sequence of events. However, most of the proposed systems are based on rules libraries specified by security experts, which is a cumbersome and error prone task. Other methods are based on statistical models; these are unable to identify causal relationships between the events. In this paper, we identify the limitations of the current techniques and propose a framework for alert correlation that overcomes these shortcomings. An improved “cause and effect” model will be presented cooperating with statistical model to achieve higher detection rate with minimum false positives. Knowledge-based model with vulnerability and extensional consequences parameters has been developed to provide manageable and meaningful graph. The proposed system is evaluated using DARPA 2000 and collected real life data sets. The results have shown an improvement in respect to detection rate and reduction of false positives.