A System for Detecting Targeted Cyber-Attacks Using Attack Patterns

Detecting multi-stage cyber-attacks remains a challenge for any security analyst working in large corporate environments. Conventional security solutions such as intrusion detection systems tend to report huge amount of alerts that still need to be examined and cross-checked with other available data in order to eliminate false positives and identify any legitimate attacks. Attack patterns can be used as a means to describe causal relationships between the events detected at different stages of an attack. In this paper, we introduce an agent-based system that collects relevant event data from various sources in the network, and then correlates the events according to predefined attack patterns. The system allows security analysts to formulate the attack patterns based on their own knowledge and experience, and test them on available datasets. We present an example attack pattern for discovering suspicious activities in the network following a potential brute force attack on one of the servers. We discuss the results produced by our prototype implementation and show how a security analyst can drill down further into the data to identify the victim and obtain information about the attack methods.