Correlating Intrusion Events and Building Attack Scenarios through Attack Graph Distances

Steven Noel
George Mason University
USA

Eric Robertson
George Mason University
USA

Sushil Jajodia
George Mason University
USA

We map intrusion events to known exploits in the network attack graph, and correlate the events through the corresponding attack graph distances. From this, we construct attack scenarios, and provide scores for the degree of causal correlation between their constituent events, as well as an overall relevancy score for each scenario. While intrusion event correlation and attack scenario construction have been previously studied, this is the first treatment based on association with network attack graphs. We handle missed detections through the analysis of network vulnerability dependencies, unlike previous approaches that infer (often ambiguous) hypothetical attacks. Rather than trying to infer gaps in attack scenarios, we quantify lack of knowledge through attack graph distance. We show that low-pass signal filtering of event correlation sequences improves quality in the face of false positive/negative detections. We also show how a correlation threshold can be applied for creating strongly correlated attack scenarios. Our model is highly efficient, with attack graphs and their exploit distances being computed offline. Online event processing requires only a database lookup and a small number of arithmetic operations, making the approach highly feasible for real-time applications.

Keywords: Intrusion event correlation, attack scenarios, attack graphs, network vulnerability analysis

Read Paper Read Paper (in PDF)