Automatic Attack Scenario Construction by Mining Meta-alert Sequences

Abstract

Researchers have been using intrusion scenarios tore present complicated attack procedures at a high abstract level, while, to our best knowledge, none is able to produce the scenarios online. An automatic intrusion scenario construction method is proposed in the paper. According to the source and destination IP pair, and priority of the raw alerts, the method firstly clusters them into different meta-alert sequences, from which frequent closed sequences are mined to construct scenarios, after that, correlation rules between scenarios are mined based on their support.Experiments on Darpa99 and Darpa2000 shows the method can be used to effectively discover attack procedures and run online.