Real-time attack graph generation using intrusion alerts

Abstract

In an era where cyber threats evolve with alarming speed and sophistication, the role of Security Operation Centers (SOCs) has become increasingly pivotal in safeguarding digital infrastructures. SOCs serve as the frontline defence against malicious entities, where they continuously monitor and analyze network traffic, as well as the activity of users and systems for potential threats. The rapid growth of advanced cyber-attacks has amplified the reliance on Intrusion Detection Systems (IDS) to generate alerts for anomalous activities, and on SOC analysts to analyze those alerts. However, these systems often yield an overwhelming number of alerts, many of which are false positives, leading to alert fatigue among analysts. The scarcity of effective visualization tools, coupled with the analysts' dependence on manual investigation and correlation of events aggravates this issue, resulting in extended alert analysis times. Moreover, the number of attack scenarios keeps increasing daily, making it difficult to understand the possible next actions of an attacker and apply preventive measures.This thesis introduces an innovative approach to aid SOC analysts in managing the large influx of alerts, mitigating alert fatigue, and enhancing the efficiency of threat identification and response. We present an attack prediction tool with alert visualization capabilities that produces real-time attack graphs, summarizing the alerts associated with a specific host. Our method utilizes a Suffix-based Probabilistic Deterministic Finite Automaton (SPDFA) to predict future attacker actions, promoting a proactive defence strategy, and achieving an accuracy of 33.71 %. We validate the practicality and relevance of our contributions through interviews with six security experts, confirming the utility of our methods in a live SOC context. Furthermore, we demonstrate the applicability of our approach by testing it with three datasets collected in the real world. Our work stands apart by simultaneously addressing alert correlation, attack visualization, and predictive modelling of attacker behaviour.Computer Science | Cyber Securit