RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection

Today, from information security perspective, prevention methods are not enough solely. Early Warning Systems (EWSs) are in the category of reactive methods. These systems are complementing Intrusion Detection Systems (IDSs) where their main goals include early detection of potential malicious behavior in large scale environments such as national level. An important process in EWSs is the analysis and correlation of alerts aggregated from the installed sensors (e.g., IDSs, IP telescopes, and botnet detection systems). In this paper, an efficient framework for alert correlation in EWSs is proposed. The framework includes a correlation scheme based on a combination of statistical and stream mining techniques. The method works real-time by extracting critical episodes from sequences of alerts, which could be part of multi-step attack scenarios. A Causal Correlation Matrix (CCM) is used for encoding correlation strength between the alert types in attack scenarios. Experimental results show that the framework is efficient enough in detecting known attack scenarios and new attack strategies. The results also show that the system is able to predict the next steps of running attack scenaris up to 95% of accuracy under special circumstances.