Extracting Attack Narratives from Traffic Datasets

Parsing through large amounts of network traffic to extract attack signatures is a complex and time consuming process. It is an even harder process to piece together those signatures to formulate an attack narrative. An attack narrative can be defined as the set of attack signatures, that when combined provides an overview of the attack and the attacker themselves. In this paper, we propose a framework for extracting attack narratives from traffic datasets. Within this framework, we propose the re-examination of packet grepping for attack signatures in network traffic as a viable, fast, and effective means to extract attack narratives from large amounts of network traffic. By combining attack signature packet grepping with Mandiant's Attack Lifecycle Model, we increase the effectiveness of packet grepping and create a methodology that is simple and powerful for constructing attack narratives. In order to show the effectiveness of the framework, we conduct a case study by using the 2015 National Collegiate Cyber Defense Competition (NCCDC) network traffic. Our preliminary results show that the framework is promising.