A Framework of Attacker Centric Cyber Attack Behavior Analysis

Cyber attack behavior analysis can be roughly classified as "network centric" and "attacker centric" approaches. Compared with traditional "network centric" approach, the keys to implement "attacker centric" approach are to investigate the attacker relationship as while as tracking attackers. Current "attacker centric" approach researches mainly focus on single attacker centric behavior analysis, but overlook the attacker relationship and its impact on attack behavior analysis. This paper is mainly coping with such issues. In this paper, the framework of attacker centric behavior analysis is proposed. As key technique, the principles of choosing desirable attacker set are discussed, the concepts of attacker group and group member are introduced, and the corresponding attacker group recognition algorithms are also proposed. Finally, based on the proposed approaches, a prototype system CABAS is developed and evaluated under DARPA 2000 intrusion detection evaluation datasets. The experimental results show that our approach has potential in analyzing complex cooperative attacks.