An "Attacker Centric" Cyber Attack Behavior Analysis Technique

Cyber attack behavior analysis can be roughly classified as "network centric" and "attacker centric" approaches. Compared with traditional "network centric" approach, the key to the implementation of "attacker centric" approach is to decide what to track, in other words, how to find the proper attacker set to be tracked. Current "attacker centric" approach researches mainly focus on single attacker centric behavior analysis, while overlooking the impact of the attacker\´s cooperative relationship on attack behavior analysis. This paper is mainly coping with such scenarios. In this paper, the basic concept and methods of attack behavior tracking and analysis is introduced. As a key technique, the principles of choosing desirable attacker set are discussed, the concepts of attacker group and group member are introduced, and a simple algorithm of attacker group recognition is proposed. Finally, a prototype system based on the proposed approaches is evaluated under DARPA 2000 intrusion detection evaluation datasets. The experimental results show that our approach has potential in analyzing complex cooperative attacks.