Title :
Automatic attack plan recognition from intrusion alerts
Author :
Li, Wang ; Zhi-tang, Li ; Jie, Ma ; Yang-Ming, Ma ; Ai-Fang, Zhang
Author_Institution :
Huazhong Univ. of Sci. & Technol., Wuhan
fDate :
July 30 2007-Aug. 1 2007
Abstract :
The amount of security application products connected to the Internet increased so dramatically that they usually generate huge volumes of security audit data. Therefore, it is important to develop an advanced alert correlation system that can reduce data redundancy and provide effective direction. This paper describes the framework, SATA, for Security Alerts and Threats analysis. Using SATA, raw audit data is firstpreprocessed into hi-alerts, which are refined and verified as true threat. We further analyze the correlation-ship of real-time hi-alerts to achieve the goal of online attack plan recognition. A key contribution of the paper is thus in automatic "multistage attack plan recognition". It also solves the problem of detecting novel multi-stage attacks. Experiment shows our approach can effectively correlate multi-stage attack behaviors and identify true attack threats.
Keywords :
Internet; computer crime; telecommunication security; Internet; SATA framework; alert correlation system; automatic multistage attack plan recognition; data redundancy; intrusion alerts; online attack plan recognition; security application products; security audit data; Application software; Artificial intelligence; Computer science; Computer security; Data security; Distributed computing; IP networks; Information security; Project management; Software engineering; Attack; Attack Plan Recognition; Hi-alert Correlation; Sequence Analysis;
Conference_Titel :
Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2007. SNPD 2007. Eighth ACIS International Conference on
Conference_Location :
Qingdao
Print_ISBN :
978-0-7695-2909-7
DOI :
10.1109/SNPD.2007.396
