Attack scenario recognition through heterogeneous event stream analysis

Abstract

Stealthy, goal-oriented multistage attacks are difficult to detect since they often consist of specific attack steps that do not cause significant variations in the statistical distributions of data streams. We present an approach for attack scenario detection and recognition that is based on analyzing data streams from multiple heterogeneous sensors. Events captured from these sensors are used to generate high-dimensional state vectors that characterize overall system-wide activity. Monitoring the time series of these state vectors through Principal Component Analysis forms the basis of an anomaly detection technique for real-time scenario detection. Data traffic from a real network that emulates a military intelligence network is used to test and validate this approach. Results indicate that our approach is both effective and has low computational requirements, making it a candidate for practical implementation.