An effective attack scenario construction model based on two-tier feature selection and coarse grain cleaning

Abstract

Attack Scenario Construction (ASC) via Alert Correlation (AC) is important to reveal the strategy of attack in terms of steps and stages that need to be launched to make the attack successful. Previous works on AC used two approaches which are Structural-based Alert Correlation (SAC) that clusters the alerts features to reveal a list of attack steps, and Casual-based Alert Correlation (CAC) which classifies the alerts based on the cause-effect relationship. However, major limitations of previous works have been found to have false and incomplete correlations due to inaccurate attack step identification based on different set of features, infiltration of raw alerts and failure to identify the sequence of attack stages. Therefore, an ASC model was developed to select significant features and to discover the complete correlations. Firstly, this research designed a two-tier feature selection using Information Gain (IG) for optimal accuracy on attack steps identification. Secondly, preserving the alerts using coarse grain cleaning for accurate attack stages identification was carried out. Finally, an effective attack scenario model to discover a complete relationship among alerts by identifying and mapping the related alerts was constructed. The model was successfully experimented using two types of datasets which are DARPA2000 and ISCX2012. The Completeness and Soundness of the model were measured to evaluate the overall correlation effectiveness. The existing works achieved 76% average completeness in comparison to the proposed model which achieved 100% completeness resulting in a 24% improvement. With regard to soundness measurement, the existing work scored 83.055% soundness while the proposed model soundness reached 100%, which has a 16.9% improvement. The findings has shown that this research is significant to Security Analyst (SA) for designing responsive and preventive mechanisms which are effective and reliable in protecting and securing computer networks.