Correlate the Advanced Persistent Threat Alerts and Logs for Cyber Situation Comprehension

  • Xiang Cheng
  • Jiale Zhang
  • Bing ChenEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1095)


With the emerging of the Advanced Persistent Threat (APT) attacks, many high-level information systems have faced a large number of serious threats with characteristics of concealment, permeability, and pertinence. However, existing methods and technologies cannot provide comprehensive and promptly recognition for APT attack activities. To address this problem, we propose an APT Alerts and Logs Correlation Method, named APTALCM, to achieve the cyber situation comprehension. We firstly proposed a cyber situation ontology for modeling the concepts and properties to formalize APT attack activities; For recognize the APT attack intentions we also proposed a cyber situation instances similarity measures method based on SimRank method. Combining with instance similarity, we proposed the APT alert instances correlation method to reconstruct APT attack scenarios and the APT log instances correlation method to detect log instance communities. Through the coalescent of these methods, APTALCM can accomplish the cyber situation comprehension effectively by recognizing the APT attack intentions. The exhaustive experimental results show that the two kernel modules, i.e., Alert Instance Correlation Module (AICM) and Log Instance Correlation Module (LICM) in our APTALCM can achieve a high true positive rate and a low false positive rate.


Cyber situation comprehension APT attack Alert correlation Log correlation 


  1. 1.
    Bass, T.: Intrusion detection systems and multisensor data fusion: Creating cyberspace situational awareness. Commun. ACM 43(4), 99–105 (2000)CrossRefGoogle Scholar
  2. 2.
    Cuppens, F., Ortalo, R.: Lambda: a language to model a database for detection of attacks. In: Proceedings of the 3rd International Workshop on Recent Advances in Intrusion Detection (RAID 2000), Toulouse, vol. 1907, pp. 197–216 (2000)Google Scholar
  3. 3.
    Bhatt, P., Yano, E.T., Gustavsson, P.M.: Towards a framework to detect multi-stage advanced persistent threats attacks. In: Proc. of the IEEE Intel Symposium on Service Oriented System Engineering, Toronto, pp. 390–395 (2014)Google Scholar
  4. 4.
    Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. CISIS 6694(11), 58–67 (2017)Google Scholar
  5. 5.
    Albanese, M.: Subrahmanian vs. scalable detection of cyberattacks. CISIM 245, 9–18 (2016)Google Scholar
  6. 6.
    Mathew, S., Upadhyaya, S., et al.: Situation awareness of multistage cyber attacks by semantic event fusion. In: Proceedings of the Military Communications Conference, London, pp. 1286–1291 (2018)Google Scholar
  7. 7.
    Aleroud, A., Karabatis, G., et al.: Context and semantics for detection of cyber attacks. Int. J. Inf. Comput. Secur. 6(1), 63–92 (2014)Google Scholar
  8. 8.
    Hutchins, E.M., et al.: Intelligence driven computer network defense informed analysis of adversary campaigns intrusion kill chains. In: Proceedings of the ICIW, Chicago, pp. 113–127 (2011)Google Scholar
  9. 9.
    Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans Inf. Syst. Secur. 48(4), 443–471 (2016)CrossRefGoogle Scholar
  10. 10.
    Ourston, D., et al.: Applications of hidden Markov models to detecting multi-stage network attacks. In: Proceedings of the Hawaii International Conference on System Sciences, Hawaii, pp. 73–76 (2016)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.College of Computer Science and TechnologyNanjing University of Aeronautics and AstronauticsNanjingChina

Personalised recommendations