Framework and Models for Multistep Attack Detection

Cyber attacks are becoming increasingly complex, especially when the target is a modern IT infrastructure, characterized by a layered architecture that integrates several security technologies such as firewalls and intrusion detection systems. These contexts can be violated by a multistep attack, that is a complex attack strategy that comprises multiple correlated intrusion activities. While a modern Intrusion Detection System detects single intrusions, it is unable to link them together and to highlight the strategy that underlies a multistep attack. Hence, a single multistep attack may generate a high number of uncorrelated intrusion alerts. The critical task of analyzing and correlating all these alerts is then performed manually by security experts. This process is time consuming and prone to human errors. This paper proposes a novel framework for the analysis and correlation of security alerts generated by state-of-the-art Intrusion Detection Systems. Our goal is to help security analysts in recognizing and correlating intrusion activities that are part of the same multistep attack scenario. The proposed framework produces correlation graphs, in which all the intrusion alerts that are part of the same multistep attack are linked together. By looking at these correlation graphs, a security analyst can quickly identify the relationships that link together seemingly uncorrelated intrusion alerts, and can easily recognize complex attack strategies and identify their final targets. Moreover, the proposed framework is able to leverage multiple algorithms for alert correlation.