Real time alert correlation and prediction using Bayesian networks

Nowadays, to provide a picture of the current intrusive activities in the network, detection methods are important to tackle the probable risks of attackers´ malicious behaviors. Intrusion Detection Systems (IDSs), as detection solutions, are one of the main devices to record and analyze suspicious activities. A huge number of low-level alerts generated by IDSs clearly reflect the need for a novel alert correlation system to reduce alert redundancy, correlate security alerts, and discover multi-step attack scenarios. In this paper, we propose a novel alert correlation framework which processes the generated alerts in real time, correlate the alerts, construct the attack scenarios using the concept of Bayesian networks and forecasts the next goal of attackers using the creation of attack prediction rules. The proposed framework has two modes: on-line and offline. In the off-line mode, a Bayesian Attack Graph (BAG) is constructed using the concept of Bayesian networks. Then, in the on-line mode, the most probable next steps of the attacker are predicted. Experimental results show that the framework is efficient enough in detecting multi-step attack strategies without using any predefined knowledge. The results also show that the algorithm perfectly forecasts multi-step attacks before they can compromise the network.