An alert fusion framework for situation awareness of coordinated multistage attacks

Abstract

Recent incidents in the cyber world strongly suggest that coordinated multistage cyber attacks are quite feasible and that effective countermeasures need to be developed. Attack detection by correlation and fusion of intrusion alerts has been an active area of current research. However, most of these research efforts focus on ex post facto analysis of alert data to uncover related attacks. In this paper, we present an approach for dynamically calculating 'scenario credibilities' based on the state of a live intrusion alert stream. We also develop a framework for attack scenario representation that facilitates real-time fusion of intrusion alerts and calculation of the scenario credibility values. Our approach provides a usable mechanism for detecting, predicting and reasoning about multistage goal-oriented attacks in real time. The details of the fusion framework and a description of multistage attack detection using this framework are presented in this paper.