Multi-layer episode filtering for the multi-step attack detection

The discovery of sophisticated attack sequences demands the development of significantly better alert correlation algorithms. Most of the proposed approaches in the area of multi-step attack detection have limited capabilities because they rely on various forms of predefined knowledge of attacks or attack transition patterns using attack modeling language or pre-and post-conditions of individual attacks. Therefore, those approaches cannot recognize a correlation when an attack is new or the relationship between attacks is new. In this research, we take a different view and consider alert correlation as the problem of inferring an intruder’s actions as alert patterns that are constructed progressively. The work is based on a multi-layer episode mining and filtering algorithm. A decision-tree-based method is used for learning specifications of each attack pattern and detecting them in alert streams. We also used a Correlation Weight Matrix (CWM) for encoding correlation strength between attack types in the attack scenarios. One of the distinguishing features of our proposed technique is detecting novel multi-step attack scenarios, using a rule prediction method. The results have shown that our approach can effectively discover known and unknown attack strategies with high accuracy. We achieved more than 90% reduction in the number of discovered patterns while more than 95% of final patterns were actual patterns. Furthermore, our rule prediction capability showed a precise forecasting ability in guessing future alerts.