Attack scenario construction with a new sequential mining technique

Continuously increasing volume of security data makes it important to develop an advanced alert correlation system that can reduce alert redundancy, intelligently correlate security alerts and detect attack strategies. In this paper, we propose a new method of constructing attack scenarios in order to recognize attacker´s high-level strategies and predict upcoming attack intentions. We mine frequent attack sequence patterns from history high level alert database. We then construct attack scenario models with the operation of online attack behavior pattern matching and correlativity calculation. Our technique overcomes the drawback of manual association rule specification used in other relevant systems. It is easy to implement and it can be used to detect novel multistage attack strategies compared with other existing techniques. Experiments show our approach can effectively construct attack scenarios and accordingly predict next most possible attack behavior.