Real-time fusion and Projection of network intrusion activity

Intrusion detection systems (IDS) warn of suspicious or malicious network activity and are a fundamental, yet passive, defense-in-depth layer for modern networks. Prior research has applied information fusion techniques to correlate the alerts of multiple IDSs and group those belonging to the same multi-stage attack into attack tracks. Projecting the next likely step in these tracks potentially enhances an analystpsilas situation awareness; however, the reliance on attack plans, complicated algorithms, or expert knowledge of the respective network is prohibitive and prone to obsolescence with the continual deployment of new technology and evolution of hacker tradecraft. This paper presents a real-time continually learning system capable of projecting attack tracks that does not require a priori knowledge about network architecture or rely on static attack templates. The intrusion projection system is framed as part of a larger information fusion and impact assessment architecture for cyber security.