With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90\% and find attack paths from a large number of alerts.
翻译:随着攻击方法的不断改进,袭击者使用联合攻击方法达到目的,有越来越多的、更多的分散的、复杂的、有针对性的攻击,攻击者使用联合攻击方法达到目的。先进的网络攻击包括实现最终目标的多个阶段。传统的入侵探测系统,如端点安全管理工具、防火墙和其他监测工具,在攻击期间产生大量的警报。这些警报包括攻击线索,以及许多与攻击无关的假阳性。安全分析员需要分析大量的警报,从中找到有用的线索,并重建攻击情景。然而,大多数传统的安全监测工具不能与不同来源的警报相关,因此许多多步骤攻击仍然完全无人注意,因此需要安全分析员进行人工分析,例如在干草堆中找到针头。我们建议采用多步攻击警报相关系统,减少重复的警报,并结合基于警戒和攻击阶段的多步攻击路径。真实世界数据集的评估结果显示,MAAC能够有效地将警报减少90 ⁇,并从大量警报中找到攻击路径。