Related Work

Recently, there have been several proposed techniques of alert correlation and attack scenario analysis.

Valdes and Skinner [52] proposed probabilistic-based approach to correlate security alerts by measuring and evaluating the similarities of alert attributes.

In particular, the correlation process includes two phases. The first phase ag-gregates low-level events using the concept of attack threads. The second phase uses a similarity metric to fuse alerts into meta-alerts to provide a higher-level

view of the security state of the system. Alert aggregation and scenario con-struction are conducted by enhancing or relaxing the similarity requirements in some attribute fields.

Porras et al. designed a "mission-impact-based" correlation system with a focus on the attack impacts on the protected domains [45]. The work is an extension to the prior system proposed in [52], The system uses clustering algorithms to aggregate and correlate alerts. Security incidents are ranked based on the security interests and the relevance of attack to the protected networks and systems.

Some correlation research work are based on pre-defined attack scenarios or association between mission goals and security events. Goldman et al. [19] built a correlation system based on Bayesian reasoning. The system predefines the causal relationship between mission goals and corresponding security events as a knowledge base. The inference engine relies on the causal relationship library to investigate security alerts and perform alert correlation.

Debar and Wespi [14] applied backward and forward reasoning techniques to correlate alerts. Two alert relationships were defined, i.e., duplicate and consequence. In a correlation process, backward-reasoning looks for duplicates of an alert, and forward-reasoning determines if there are any consequences of an alert. They used clustering algorithms to detect attack scenarios and situations. This approach pre-defines consequences of attacks in a configuration file.

Kriigel et al. [34] proposed a distributed pattern matching scheme based on an attack specification language that describes various attack scenario patterns.

Alert analysis and correlation are based on the pattern matching scheme.

Morin and Debar [38] applied chronicles formalism to aggregating and cor-relating alerts. Chronicles provide a high level language to describe the attack scenarios based on time information. Chronicles formalism approach has been used in many areas to monitor dynamic systems. The approach performs at-tack scenario pattern recognition based on known malicious event sequences.

Therefore, this approach is analogous to misuse intrusion detection.

Ning et al. [39], Cuppens and Miege [12] and Cheung et al. [7] built alert correlation systems based on matching the pre- and post-conditions of indi-vidual alerts. The idea of this approach is that prior attack steps prepare for later ones. Therefore, the consequences of earlier attacks correspond to the prerequisites of later attacks. The correlation engine searches alert pairs that have a consequence and prerequisite matching. In addition to the alert pre- and post-condition matching, the approach in [12] also has a number of phases including alert clustering, alert merging, and intention recognition. In the first two phases, alerts are clustered and merged using a similarity function. The intention recognition phase is referenced in their model, but has not been im-plemented. Having the correlation result, the approach in [39] further builds correlation graphs based on correlated alert pairs [39]. Recently, Ning et al. [41 ]

152 Discovering Novel Attack Strategies from INFOSEC Alerts have extended the pre- and post-condition-based correlation technique to cor-relate some isolated attack scenarios by hypothesizing missed attack steps.

In the field of network management, alert or event correlation has been an active research topic and a subject of numerous scientific publications for over 10 years. The objective of alert correlation in a network management system (NMS) is to localize the faults occurred in communication systems.

The problem of alert correlation in NMS is also referred as root cause analysis.

During the past 10 more years, many solutions have been proposed, e.g., case-based systems [36], model-case-based approaches [42, 28] and code book-case-based technique [33]. The techniques are derived from different areas of computer science including artificial intelligence (AI), graph theory, neural networks, information theory, and automata theory.

Most of the proposed approaches have limited capabilities because they rely on various forms of predefined knowledge of attacks or attack transition pat-terns using attack modeling language or pre- and post-conditions of individual attacks. Therefore, those approaches cannot recognize a correlation when an attack is new or the relationship between attacks is new. In other words, these approaches in principle are similar to misuse detection techniques, which use the "signatures" of known attacks to perform pattern matching and cannot detect new attacks. It is obvious that the number of possible correlations is very large, potentially a combinatorial of the number of known and new attacks. It is in-feasible to know a priori and encode all possible matching conditions between attacks. In practice, the more dangerous and intelligent adversaries will always invent new attacks and novel attack sequences. Therefore, we must develop significantly better alert correlation algorithms that can discover sophisticated and new attack sequences.

In the network management system (NMS), most event correlation tech-niques also depend on various knowledge of underlying networks and the rela-tionship among faults and corresponding alerts. In addition, in an NMS, event correlation focuses more on alerts resulted from network faults that often have fixed patterns. Therefore, modeling-based or rule-based techniques are mostly appUed in various correlation systems. Whereas in security, alerts are more di-verse and unpredictable because the attackers are intelligent and can use flexible strategies. Therefore, it is difficult to apply correlation techniques developed in network management system to the analysis of security alerts.

Our approach aims to address the challenge of how to detect novel attack strategies that can consist of a series of unknown patterns of attack transitions.

In alert correlation techniques, our approach differs from other work in the following aspects. Our approach integrates three complementary correlation engines to discover attack scenario patterns. It includes both knowledge-based correlation mechanisms and statistical and temporal-based correlation methods.

We apply a Bayesian-based correlation engine to the attack steps that are directly related, e.g., a prior attack enables the later one. Our Bayesian-based

correlation engine differs from previous work in that we incorporate knowledge of attack step transitions as a constraint when conducting probabilistic inference.

The correlation engine performs the inference about the correlation based on broad indicators of attack impacts without using the strict hard-coded pre-/post-condition matching.

In addition to domain knowledge-based correlation engine, we have devel-oped two statistical and temporal-based correlation engines. The first one ap-plies causal discovery theory to alert analysis and correlation. This approach identifies alert relationship based on statistical analysis of attack dependence.

Having observed that many attack steps in a complicated attack strategy of-ten have a strong temporal relationship, we have developed a correlation en-gine using temporal analysis. In particular, we applied Granger-Causality Test technique to discovering attack steps that have strong temporal and statistical patterns.

These two statistical and temporal-based correlation techniques differ from other related work in that they do not rely on prior knowledge of attack strategies or pre- and post-conditions of individual attacks. Therefore, these two statistical and temporal-based approaches can be used to discover new attack strategies that can have unknown attack transition patterns. To the best of our knowledge, our approach is the first approach that detects new attack strategies without relying on pre-defined knowledge base.

Our integrated approach also provides a quantitative analysis of the likelihood of various attack paths. With the aggregated correlation results, security analysts can perform further analysis and make inferences about high-level attack plans.