Discovering Multi-stage Attacks Using Closed Multi-dimensional Sequential Pattern Mining

Brahmi, Hanen; Yahia, Sadok Ben

doi:10.1007/978-3-642-40173-2_38

Cited by 5 publications

(6 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Multi-stage attack patterns can be discovered by analyzing sequence data. The approach by Brahmi and Yahia [135] is based on a closed multi-dimensional sequential pattern mining algorithm, called Closed Multi-Dimensional PrefixSpan (CMD PrefixSpan), which is an improved version of the PrefixSpan [136]. The search for frequently encountered alert sequences is performed using a multi-dimensional table with alert attributes.…”

Section: ) Statistical-based Methodsmentioning

confidence: 99%

Systematic Literature Review of Security Event Correlation Methods

2022

View full text Add to dashboard Cite

Security event correlation approaches are necessary to detect and predict incremental threats such as multi-step or targeted attacks (advanced persistent threats) and other causal sequences of abnormal events. The use of security event correlation techniques also makes it possible to reduce the volume of the original data stream by grouping the events and eliminating their redundancy. The variety of event correlation methods, in turn, requires choosing the most appropriate way to handle security events, depending on the purpose and available resources. This paper presents a systematization of security event correlation methods into several categories, such as publication year, applied correlation methods, knowledge extraction methods, used data sources, architectural solutions, and quality evaluation of correlation methods. The research method is a systematic literature review, which includes the formulation of research questions, the choice of keywords and criteria for inclusion and exclusion. The review corpus is formed by using search queries in Google Scholar, IEEE Xplore, ACM Digital Library, ScienceDirect, and selection criteria. The final review corpus includes 127 publications from the existing literature for 2010-2021 and reflects the current state of research in the security event correlation field. The results of the analysis include the main directions of research in the field of event correlation and methods used for correlation both single events and their sequences in attack scenarios. The review also describes the datasets and metrics used to evaluate security event correlation approaches. In conclusion, the existing problems and possible ways to overcome them are identified. The main contribution of the review is the most complete classification and comparison of existing approaches to the security event correlation, considered not only from the point of view of the algorithm, but also the possibility of unknown attack detection, architectural solutions and the use of event initial data.

show abstract

Section: ) Statistical-based Methodsmentioning

confidence: 99%

Systematic Literature Review of Security Event Correlation Methods

2022

View full text Add to dashboard Cite

show abstract

“…Pattern extraction is conducted based on association rule, sequential mining, or frequent episode mining. An improved version of the Prefix Span algorithm is applied by Brahmi and Yah [19] as a method of finding the most frequent patterns by distributing the alerts and their attributes in multi-dimensional tables. Sequential-based methods are useful for modeling and analyzing complex attack scenarios from sequences of individual events or steps that are a part of the same attack scenario.…”

Section: Alert Aggregation and Alert Correlationmentioning

confidence: 99%

Frequency-Based Representation of Massive Alerts and Combination of Indicators by Heterogeneous Intrusion Detection Systems for Anomaly Detection

Park

Choi

2022

Sensors

View full text Add to dashboard Cite

Although the application of a wide range of sensors has been generalized through the development of technology, the processing of massive alerts generated through data analysis and monitoring remains a challenge. This problem is also found in cyber security because the intrusion detection system (IDS) produces a tremendous number of alerts. Massive alerts not only significantly increase resources for analysis, but also make it difficult to analyze the overall situation of the system. In order to handle massive alerts, we propose using an indicator as a frequency-based representation. The proposed indicator is generated from categorical parameters of alerts that occur within a unit time utilizing frequency and is used for situational awareness with machine learning to detect whether there is a threat or not. The advantage of using indicators is that they can determine the situation for a period without analyzing individual alerts, which helps security experts to recognize the situation in the system and focus on targets that require in-depth analysis. In addition, the conversion from the categorical parameters which is highly related to analysis to numeric parameter allows for applying machine learning. For performance evaluation, we collect data from an HAI testbed similar to real critical infrastructure and conduct experiments using indicators and XGBoost, a classification machine learning algorithm against five famous vulnerability attacks. Consequently, we show that the proposed method can detect attacks with more than 90 percent accuracy, and the performance is enhanced using heterogeneous intrusion detection systems.

show abstract

“…Classes of sequential patterns and measures of interest for the field of ICT risk assessment are then introduced in Sect. 4. Next, in Sect.…”

Section: Introductionmentioning

confidence: 95%

“…Finally, the usage of data mining models in IDS has been widely adopted, e.g., using classifiers [11], association rules [9], and closed sequential patterns [4]. All of them struggle with the lack of enough data for building accurate models.…”

Section: Related Workmentioning

confidence: 99%

“…The intended objective is twofold: (1) to exploit the extracted patterns for the design of attack countermeasures, and (2) for gaining a better understanding of the "degree of freedom" available for the attackers of a system. Objective (1) can be achieved by using data mining models for making predictions on the next attack of a threat agent that is following a matched pattern [4,9,11], hence enforcing dynamic counter-measures. We instead take a different approach that selects from the set of extracted patterns a set that covers as much as possible the successful attack sequences of the threat agent.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Sequential Pattern Mining for ICT Risk Assessment and Prevention

D'Andreagiovanni

Baiardi

Lipilini

et al. 2018

Software Engineering and Formal Methods

View full text Add to dashboard Cite

Security risk assessment and prevention in ICT systems rely on the analysis of data on the joint behavior of the system and its (malicious) users. The Haruspex tool models intelligent, goal-oriented agents that reach their goals through attack sequences. Data is synthetically generated through a Monte Carlo method that runs multiple simulations of the attacks against the system. In this paper, we present a sequential pattern mining analysis of the database of attack sequences. The intended objective is twofold: (1) to exploit the extracted patterns for the design of attack counter-measures, and (2) for gaining a better understanding of the "degree of freedom" available for the attackers of a system. We formally motivate the need for using maximal sequential patterns, instead of frequent or closed sequential patterns, and report on the results on a specific case study.

show abstract

Discovering Multi-stage Attacks Using Closed Multi-dimensional Sequential Pattern Mining

Cited by 5 publications

References 5 publications

Systematic Literature Review of Security Event Correlation Methods

Systematic Literature Review of Security Event Correlation Methods

Frequency-Based Representation of Massive Alerts and Combination of Indicators by Heterogeneous Intrusion Detection Systems for Anomaly Detection

Sequential Pattern Mining for ICT Risk Assessment and Prevention

Contact Info

Product

Resources

About