An iterative alert correlation method for extracting network intrusion scenarios

Alert correlation aims to provide an abstract and high-level view of environment security state, as one can extract attack strategies from raw intrusion alerts. Most existing alert correlation approaches depend on either expert knowledge or predefined patterns for detecting complex attack steps. In this paper we provide a Bayesian network based alert correlation approach that is able to discover attack strategies without need to expert knowledge. The main goal of this work is extracting attack scenarios, with taking into account the sequence of actions. We also try to eliminate redundant relationships in a detected attack scenario. The experimental evaluation using the well-known DARPA 2000 data set shows the efficiency of our proposed approach in extracting the intrusion scenarios.