Automatic learning of attack behavior patterns using Bayesian networks

A tremendous number of low-level alerts reported by information security systems makes it challenging for security administrators to do an effective analysis and initiate a timely response. Alert correlation techniques have been proposed to reduce the number of alerts and provide a succinct and high-level view of attacks. Most of the existing approaches rely on a priori and hard-coded domain knowledge that leads to their difficult implementation and limited capabilities of detecting new attack strategies. To address the drawbacks of these approaches, the recent trend of research in this area has gone towards extracting attack strategies through automatic analysis of intrusion alerts. In this paper, we present new algorithms to mine attack behavior patterns from a large number of intrusion alerts without specific prior knowledge about attacks. Unlike expert knowledge-based methods, our proposed scheme automatically generates correlation rules from the previously observed alerts using a Bayesian causality mechanism. The attack activity patterns learned by this way can help us to correlate alerts, reconstruct attack scenarios and predict possible forthcoming attacks in a real-time system. Our experimental results clearly show efficiency of the proposed method in learning new attack strategies.