Day 1

Attacker Strategy Discovery from Intrusion Alerts

Session complexity:
Attack graphs (AG) are insightful models of attacker strategies that show the paths followed by attackers to penetrate a network. Existing work on AG generation requires expensive expert knowledge and published vulnerability reports, which do not exist yet for unreported vulnerabilities. Meanwhile, there exists an abundance of intrusion alerts from prior security incidents that analysts struggle to investigate.

In this talk, I introduce Alert-driven Attack Graphs (AGs) that are learned purely from intrusion alerts, without a priori expert knowledge. The method exploits the temporal and probabilistic dependence between alerts in a Suffix-based Probabilistic Deterministic Finite Automaton (S-PDFA) — a model that brings infrequent severe alerts into the spotlight and summarizes paths to contextually-similar severe alerts. Then, AGs are extracted from the model on a per-objective, per-victim basis. The AGs are succinct, interpretable, and provide actionable intelligence about attack progression, such as strategic differences and overlapping attack paths. They even show that attackers tend to follow shorter paths after they have discovered a longer one.

Speakers in this session