Abstract
With the emerging of the Advanced Persistent Threat (APT) attacks, many high-level information systems have faced a large number of serious threats with characteristics of concealment, permeability, and pertinence. However, existing methods and technologies cannot provide comprehensive and promptly recognition for APT attack activities. To address this problem, we propose an APT Alerts and Logs Correlation Method, named APTALCM, to achieve the cyber situation comprehension. We firstly proposed a cyber situation ontology for modeling the concepts and properties to formalize APT attack activities; For recognize the APT attack intentions we also proposed a cyber situation instances similarity measures method based on SimRank method. Combining with instance similarity, we proposed the APT alert instances correlation method to reconstruct APT attack scenarios and the APT log instances correlation method to detect log instance communities. Through the coalescent of these methods, APTALCM can accomplish the cyber situation comprehension effectively by recognizing the APT attack intentions. The exhaustive experimental results show that the two kernel modules, i.e., Alert Instance Correlation Module (AICM) and Log Instance Correlation Module (LICM) in our APTALCM can achieve a high true positive rate and a low false positive rate.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bass, T.: Intrusion detection systems and multisensor data fusion: Creating cyberspace situational awareness. Commun. ACM 43(4), 99–105 (2000)
Cuppens, F., Ortalo, R.: Lambda: a language to model a database for detection of attacks. In: Proceedings of the 3rd International Workshop on Recent Advances in Intrusion Detection (RAID 2000), Toulouse, vol. 1907, pp. 197–216 (2000)
Bhatt, P., Yano, E.T., Gustavsson, P.M.: Towards a framework to detect multi-stage advanced persistent threats attacks. In: Proc. of the IEEE Intel Symposium on Service Oriented System Engineering, Toronto, pp. 390–395 (2014)
Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. CISIS 6694(11), 58–67 (2017)
Albanese, M.: Subrahmanian vs. scalable detection of cyberattacks. CISIM 245, 9–18 (2016)
Mathew, S., Upadhyaya, S., et al.: Situation awareness of multistage cyber attacks by semantic event fusion. In: Proceedings of the Military Communications Conference, London, pp. 1286–1291 (2018)
Aleroud, A., Karabatis, G., et al.: Context and semantics for detection of cyber attacks. Int. J. Inf. Comput. Secur. 6(1), 63–92 (2014)
Hutchins, E.M., et al.: Intelligence driven computer network defense informed analysis of adversary campaigns intrusion kill chains. In: Proceedings of the ICIW, Chicago, pp. 113–127 (2011)
Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans Inf. Syst. Secur. 48(4), 443–471 (2016)
Ourston, D., et al.: Applications of hidden Markov models to detecting multi-stage network attacks. In: Proceedings of the Hawaii International Conference on System Sciences, Hawaii, pp. 73–76 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Cheng, X., Zhang, J., Chen, B. (2019). Correlate the Advanced Persistent Threat Alerts and Logs for Cyber Situation Comprehension. In: Meng, W., Furnell, S. (eds) Security and Privacy in Social Networks and Big Data. SocialSec 2019. Communications in Computer and Information Science, vol 1095. Springer, Singapore. https://doi.org/10.1007/978-981-15-0758-8_10
Download citation
DOI: https://doi.org/10.1007/978-981-15-0758-8_10
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-0757-1
Online ISBN: 978-981-15-0758-8
eBook Packages: Computer ScienceComputer Science (R0)