A data mining approach to generating network attack graph for intrusion prediction

A network attack graph provides a global view of all possible sequences of exploits which an intruder may use to penetrate a system. Attack graphs can be generated by model checking techniques or intrusion alert Correlation. In this paper we proposed a data mining approach to generating attack graphs. Through association rule mining, the algorithm generates multi-step attack patterns from historical intrusion alerts which comprise the attack graphs. The algorithm also calculates the predictability of each attack scenario in the attack graph which represents the probability for the corresponding attack scenario to be the precursor of future attacks. Then the real-time intrusion alerts can be correlated to attack scenarios and ranked by the predictability scores. The ranking result can help identify the appropriate evidence for intrusion prediction from a large volume of raw intrusion alerts. The approach is validated by DARPA 2000 and DARPA 1999 intrusion detection evaluation datasets.