Generating Attack Scenarios with Causal Relationship

With the incoming of information era, Internet has been developed rapidly and offered more and more services. However, intrusions, viruses and worms follow with the grown of Internet, spread widely all over the world within high speed network. Although many kinds of intrusion detection systems (IDSs) are developed, they have some disadvantages in that they focus on low-level attacks or anomalies, and raise alerts independently. In this paper, we give a formal description about attack patterns, attack transition states and attack scenarios. We proposed the system architecture to generate an attack scenario database correctly and completely. We first classify and extract attack patterns, then, correlate attack patterns with pre/post conditions matching and. Moreover, the approach, attack scenario generation with casual relationship (ASGCR), is proposed to build an attack scenario database Finally, we present the combination of our attack scenario database with security operation center (SOC) to implement the related components concerning alert integrations and correlations. It is shown that our method is better than CAML [4] since we can generate more attack scenarios effectively and correctly to help system managers to maintain network security.