SAGE: Intrusion Alert-driven Attack Graph Extractor

Add code
Jul 06, 2021
Azqa Nadeem, Sicco Verwer, Stephen Moskal, Shanchieh Jay Yang
Figure 1 for SAGE: Intrusion Alert-driven Attack Graph Extractor
Figure 2 for SAGE: Intrusion Alert-driven Attack Graph Extractor
Figure 3 for SAGE: Intrusion Alert-driven Attack Graph Extractor
Figure 4 for SAGE: Intrusion Alert-driven Attack Graph Extractor

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon

Attack graphs (AG) are used to assess pathways availed by cyber adversaries to penetrate a network. State-of-the-art approaches for AG generation focus mostly on deriving dependencies between system vulnerabilities based on network scans and expert knowledge. In real-world operations however, it is costly and ineffective to rely on constant vulnerability scanning and expert-crafted AGs. We propose to automatically learn AGs based on actions observed through intrusion alerts, without prior expert knowledge. Specifically, we develop an unsupervised sequence learning system, SAGE, that leverages the temporal and probabilistic dependence between alerts in a suffix-based probabilistic deterministic finite automaton (S-PDFA) -- a model that accentuates infrequent severe alerts and summarizes paths leading to them. AGs are then derived from the S-PDFA. Tested with intrusion alerts collected through Collegiate Penetration Testing Competition, SAGE produces AGs that reflect the strategies used by participating teams. The resulting AGs are succinct, interpretable, and enable analysts to derive actionable insights, e.g., attackers tend to follow shorter paths after they have discovered a longer one.

* Accepted to appear in the 1st KDD Workshop on AI-enabled Cybersecurity Analytics (AI4cyber), 2021  
View paper onarxiv icon

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon