Discovering Novel Multistage Attack Patterns in Alert Streams

With the growing deployment of network security devices, the large volume of alerts gathered from these devices often overwhelm the administrator, and make it almost impossible to discover complicated multistage attacks in time. It is necessary to develop a real-time system to detect the ongoing attacks and predict the upcoming next step of a multistage attack in alert streams, using known attack patterns. So it is a key mission to make sure that the pattern definition is correct, complete and up to date. In this paper, a classical data mining algorithm is used to help us discover attack patterns, construct and maintain rules. It can overcome the highly dependent on knowledge of experts, time-consuming and error-prone drawbacks in previous approaches using manual analysis. Unfortunately, for a dynamic network environment where novel attack strategies appear continuously, the method shows a limited capability to detect the novel attack patterns. We can address the problem by presenting a novel approach using incremental mining algorithm to discover new attack patterns that appear recently. A series of experiments show the validity of the methods in this paper.