MAAC: Novel Alert Correlation Method To Detect Multi-step Attack
With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks, and attackers use combined methods to attack. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as terminal security management tools, firewalls, and other monitoring tools will generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them, make correlations, and restore attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MMAC, a multi-step attack alert correlation algorithm, which reduces repeated alerts and combines multi-stage attack paths based on alert semantics and attack stages. The evaluation results of the dataset and real scene show that MAAC can find and evaluate attack paths from a large number of alerts.
READ FULL TEXT