Extracting and Evaluating Similar and Unique Cyber Attack Strategies from Intrusion Alerts

Intrusion detection system (IDS) is an integral part of computer networks to monitor and detect threats. However, the alerts raised by these systems are often overwhelming to security analysts, making it difficult to uncover the steps an attacker took to compromise one or more systems in the network. This work presents a novel approach that aggregates IDS alerts and forms sequences of attack activities and their corresponding probabilistic models. This allows comparison of attack sequences to offer insights for unique as well as similar attack behaviors. We aggregate alerts by performing a Gaussian filter on specific alert attributes and model attackers using a suffix-based probabilistic model. We compare sequences generated from ten independent attacking teams with similar objectives demonstrating how our process uncovers similarities and uniqueness between the attacks that was not obvious. The sequences revealed by our process creates meaningful sequences that offers insights on how the attacking teams exploit a network.