Automatic Multi-step Attack Pattern Discovering

Current techniques employed in security alert correlation area for multi-step attack recognition purpose are intricate to be performed due to the complexity of the methods and huge computing workload generated during alert analysis and processing. In this paper, we proposed a new method of alert correlation aiming at providing concentrated security event information and thus finding multi-step attack patterns accordingly. We use a kind of extension time window when aggregate the alerts into high level alerts. We then connect hyper alerts into candidate multi-step attack patterns according to their IP address association. The final real multi-step attack patterns are discovered from these connected attack patterns with quantitative correlation calculation method. The method is easy to implement and practical to deploy which is proved by the result of our experiments. The experiment also shows our approach can effectively find real multi-step attack behavior patterns and can be used to identify true attack threats.