The Community for Technology Leaders
Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007) (2007)
Haier International Training Center, Qingdao, China
July 30, 2007 to Aug. 1, 2007
ISBN: 0-7695-2909-7
pp: 1170-1175
Wang Li , Huazhong University of Science and Technology, China
Li Zhi-tang , Huazhong University of Science and Technology, China
Ma Jie , Huazhong University of Science and Technology, China
Ma Yang-ming , Huazhong University of Science and Technology, China
Zhang Ai-fang , Huazhong University of Science and Technology, China
ABSTRACT
The amount of security application products connected to the Internet increased so dramatically that they usually generate huge volumes of security audit data. Therefore, it is important to develop an advanced alert correlation system that can reduce data redundancy and provide effective direction. This paper describes the framework, SATA, for Security Alerts and Threats analysis. Using SATA, raw audit data is first preprocessed into hi-alerts, which are refined and verified as true threat. We further analyze the correlation-ship of real-time hi-alerts to achieve the goal of online attack plan recognition. A key contribution of the paper is thus in automatic "multi-stage attack plan recognition". It also solves the problem of detecting novel multi-stage attacks. Experiment shows our approach can effectively correlate multi-stage attack behaviors and identify true attack threats.
INDEX TERMS
Attack Plan Recognition, Attack Sequence Analysis, Hi-alert Correlation
CITATION

M. Jie, W. Li, M. Yang-ming, L. Zhi-tang and Z. Ai-fang, "Automatic attack plan recognition from intrusion alerts," Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007)(SNPD), Haier International Training Center, Qingdao, China, 2007, pp. 1170-1175.
doi:10.1109/SNPD.2007.396
83 ms
(Ver 3.3 (11022016))