A Bayesian network‐based approach for learning attack strategies from intrusion alerts

A tremendous number of low‐level alerts reported by information security systems clearly reflect the need for an advanced alert correlation system to reduce alert redundancy, correlate security alerts, detect attack strategies, and take appropriate actions against upcoming attacks. Up to now, a variety of alert correlation methods have been suggested. However, most of them rely on a priori and hard‐coded domain expert knowledge that leads to their difficult implementation and limited capabilities of detecting new attack strategies. To overcome the drawbacks of these approaches, the recent trend of research in alert correlation has gone towards extracting attack strategies through automatic analysis of intrusion alerts. In line with the recent researches, in this paper, we present new algorithms to automatically mine attack behavior patterns from historical alerts as accurately and efficiently as possible. Our system is composed of two main components. The first offline component automatically generates correlation rules by analyzing the previously observed alerts using a Bayesian causality analysis mechanism. Then, in the online alert correlation component, alerts are correlated using a hierarchical scheme and based on the extracted rules. Our experimental results clearly show efficiency of the proposed method in learning new attack strategies. Copyright © 2013 John Wiley & Sons, Ltd.