Automatic attack plan recognition from intrusion alerts

The amount of security application products connected to the Internet increased so dramatically that they usually generate huge volumes of security audit data. Therefore, it is important to develop an advanced alert correlation system that can reduce data redundancy and provide effective direction. This paper describes the framework, SATA, for Security Alerts and Threats analysis. Using SATA, raw audit data is firstpreprocessed into hi-alerts, which are refined and verified as true threat. We further analyze the correlation-ship of real-time hi-alerts to achieve the goal of online attack plan recognition. A key contribution of the paper is thus in automatic "multistage attack plan recognition". It also solves the problem of detecting novel multi-stage attacks. Experiment shows our approach can effectively correlate multi-stage attack behaviors and identify true attack threats.