Discovering Multi-stage Attacks Using Closed Multi-dimensional Sequential Pattern Mining

  • Hanen Brahmi
  • Sadok Ben Yahia
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8056)


Due to the growing amount and kinds of intrusions, multi-stage attack is becoming the one of the main methods of the network security threaten. Although, the Intrusion Detection Systems (IDS) are intended to protect information systems against intrusions. Nevertheless, they can only discover single-step attacks but not complicated multi-stage attacks. Consequently, IDS are plugged with the problem of the excessive generation of alerts. Therefore, it is not only important, but also challenging for security managers to correlate security alerts to predict a multi-stage attack. In this respect, an approach based on sequential pattern mining technique to discover multi-stage attack activity is efficient to reduce the labor to construct pattern rules. In this paper, we introduce a novel approach of alert correlation, based on a new closed multi-dimensional sequential patterns mining algorithm. The main idea behind this approach is to discover temporal patterns of intrusions which reveal behaviors of attacks using alerts generated by IDS. Our experiment results show the robustness and efciency of our new algorithm against those in the literature.


Multi-stage attacks Intrusion detection system Multi-dimensional sequential patterns Alert correlation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brahmi, H., Brahmi, I., Ben Yahia, S.: Nouvelle Approche de Corrélation d’Alertes basée sur la Fouille Multidimensionnelle. In: Actes des 8èmes journées francophones sur les Entrepôts de Données et l’Analyse en ligne (EDA), Bordeaux, France, pp. 93–102 (2012)Google Scholar
  2. 2.
    Cuppens, F., Miège, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, California, USA, pp. 202–215 (2002)Google Scholar
  3. 3.
    Huang, G., Zuo, N., Ren, J.: Mining Web Frequent Multi-dimensional Sequential Patterns. Information Technology Journal 10(12), 2434 (2011)CrossRefGoogle Scholar
  4. 4.
    Li, W., Zhi-tang, L., Jun, F.: Learning Attack Strategies Through Attack Sequence Mining Method. In: Proceedings of the International Conference on Communication Technology (ICCT), Guilin, China, pp. 1–4 (2006)Google Scholar
  5. 5.
    Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and Tools for Analyzing Intrusion Alerts. Journal ACM Transactions on Information and System Security 7(2), 274–318 (2004)CrossRefGoogle Scholar
  6. 6.
    Pasquier, N., Bastide, Y., Taouil, R., Lakhal, L.: Efficient Mining of Association Rules Using Closed Itemset Lattices. Journal of Information Systems 24(1), 25–46 (1999)CrossRefGoogle Scholar
  7. 7.
    Pei, J., Han, J., Mortazavi-asl, B., Pinto, H., Chen, Q., Dayal, U., Hsu, M.-C.: PrefixSpan: Mining Sequential Patterns Efficiently by Prefix-Projected Pattern Growth. In: Proceedings of the 17th International Conference on Data Engineering (ICDE), Heidelberg, Germany, pp. 215–224 (2001)Google Scholar
  8. 8.
    Srikant, R., Agrawal, R.: Mining Sequential Patterns: Generalizations and performance Improvements. In: Proceedings of the 5th International Conference on Extending Database Technology: Advances in Database Technology (EDBT), Avignon, France, pp. 3–17 (1996)Google Scholar
  9. 9.
    Vijayalakshmi, S., Mohan, V., Raja, S.S.: Mining Constraint-based Multidimensional Frequent Sequential Pattern in Web Logs. European Journal of Scientific Research 36(3), 480–490 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Hanen Brahmi
    • 1
  • Sadok Ben Yahia
    • 2
  1. 1.Faculty of Sciences of Tunis, Computer Science DepartmentCampus UniversityTunisTunisia
  2. 2.UMR CNRS SamovarInstitut Mines-TELECOM, TELECOM SudParisEvry CedexFrance

Personalised recommendations