Knowledge-based model to represent security information and reason about multi-stage attacks

Abstract

In an intrusion detection context, none of the main detection approaches (signature-based and anomaly-based) are fully satisfactory. False positives and false negatives are the major limitations of such systems. The generated alerts are elementary and in huge numbers. Hence, alert correlation techniques are used to provide a complementary analysis to link elementary alerts and provide a more global intrusion view. It has been widely recognised that real cyber attacks consist of phases that are temporally ordered and logically connected. In this paper we present an improved knowledge-based causal alert correlation model. The correlation process is essentially modularized based on an extension of the properties and characteristics of the “requires/provides” model. The description of the knowledge base modeling is introduced consisting of attacks classes, vulnerabilities, and alerts generated by security tools. The proposed system is evaluated to detect simulated and real multi-stage attacks and it showes efficient capability to correlate the attacker behavior.