Attack Subplan-Based Attack Scenario Correlation

There are various security sensors deployed in the network to protect the information assets from destruction. These sensors produce a huge amount of alerts in different event granularities and semantics. Such a huge amount of alerts is hard to be comprehended; as a result, a timely response to the attacks is difficult. Thus, a better technique for alert analysis and management is imperative for promoting the network security. We have developed a two layered PA-based (primitive attack-based) correlation approach to tackle this problem. The first layer does PA construction by integrating related alerts into proper PAs. The second layer is the attack subplan-based correlation layer, which does attack scenario correlation from recognized PAs by employing attack subplan templates to guide the correlation process. This paper focuses on the second layer, by discussing how to automatically construct attack subplan templates, how to eliminate invalid attack subplan templates, how the attack subplan templates can direct the process of scenario correlation, and how a proper fusion process can reduce superfluous attack information. Our experiments show this correlation approach can effectively unearth the attack strategies of the attackers, reduce the cognitive loading of the network manager in comprehending alert reports, and also relieve him from the time consuming and skillful analysis task required in manually analyzing alerts to construct correlation knowledge.