Using vulnerability information and attack graphs for intrusion detection

Intrusion Detection Systems (IDS) have been used widely to detect malicious behavior in network communication and hosts. IDS management is an important capability for distributed IDS solutions, which makes it possible to integrate and handle different types of sensors or collect and synthesize alerts generated from multiple hosts located in the distributed environment. Sophisticated attacks are difficult to detect and make it necessary to integrate multiple data sources for detection and correlation. Attack graph (AG) is used as an effective method to model, analyze, and evaluate the security of complicated computer systems or networks. The attack graph workflow consists of three parts: information gathering, attack graph construction, and visualization. This paper proposes the integration of the AG workflow with an IDS management system to improve alert and correlation quality. The vulnerability and system information is used to prioritize and tag the incoming IDS alerts. The AG is used during the correlation process to filter and optimize correlation results. A prototype is implemented using automatic vulnerability extraction and AG creation based on unified data models.