A Threat Prediction Framework for Network Security Based on Attack Patterns and Colored Petri Nets

It is hard to comprehend intrusion alerts because many attacks are multistage and even coordinated by multiple attackers. This paper introduces a threat prediction framework to tackle the problem. The framework adopts attack patterns to facilitate the reuse of network security knowledge. The instantiation of relevant attack patterns becomes a network specific attack plan. We developed a colored Petri Net, CPNap, to represent the attack plan, which can clearly reveal the attack steps and security states. A CPNap is then tokenized to represent an actual attack. Based on the token arrival probability of a tokenized CPNap, we finally can conduct situation assessment and threat prediction. Our experiments show the framework can effectively predict security threats of multistage attacks and identify cooperating attackers. With this, network defenders may have a better chance to take mitigation actions before the attackers fulfill their malicious intentions.