Attack plan recognition and prediction using causal networks

Author

Qin, Xinzhou ; Lee, Wenke

Author_Institution

Georgia Inst. of Technol., Atlanta, GA, USA

fYear

2004

fDate

6-10 Dec. 2004

Firstpage

370

Lastpage

379

Abstract

Correlating and analyzing security alerts is a critical and challenging task in security management. Recently, some techniques have been proposed for security alert correlation. However, these approaches focus more on basic or low-level alert correlation. In this paper, we study how to conduct probabilistic inference to correlate and analyze attack scenarios. Specifically, we propose an approach to solving the following problems: 1) How to correlate isolated attack scenarios resulted from low-level alert correlation? 2) How to identify attacker´s high-level strategies and intentions? 3) How to predict the potential attacks based on observed attack activities? We evaluate our approaches using DARPA´s grand challenge problem (GCP) data set. The results demonstrate the capability of our approach in correlating isolated attack scenarios, identifying attack strategies and predicting future attacks.

Keywords

correlation theory; inference mechanisms; security of data; attack plan recognition; casual networks; grand challenge problem; intrusion detection; probabilistic inference; security alert correlation; security management; Algorithm design and analysis; Artificial intelligence; Character recognition; Clustering algorithms; Computer security; Data security; Intrusion detection; Libraries; Sensor systems; Technology management; Intrusion detection; alert correlation; attack scenario analysis; security management;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 2004. 20th Annual

ISSN

1063-9527

Print_ISBN

0-7695-2252-1

Type

conf

DOI

10.1109/CSAC.2004.7

Filename

1377244