TY - GEN
T1 - Alert correlation using diamond model for cyber threat intelligence
AU - Shin, Youngsup
AU - Lim, Changwan
AU - Park, Mookyu
AU - Cho, Sungyoung
AU - Han, Insung
AU - Oh, Haengrok
AU - Lee, Kyungho
N1 - Funding Information:
This work was supported by Defense Acquisition ?rogram Administration and Agency for Defense Development under the contract 堀 縀UD ? BD ?
Funding Information:
This work was supported by Defense Acquisition Program Administration and Agency for Defense Development under the contract. (UD160066BD).
Publisher Copyright:
© 2019, Curran Associates Inc. All rights reserved.
PY - 2019
Y1 - 2019
N2 - Information security has gathered great attention leading to a variety of network sensors and Intrusion Detection Systems (IDS), generating numerous threat events. Large number of threat events are difficult to be managed by passive countermeasures of security manpower, lacking in prompt situation recognition and preemptive responses. Therefore, automated cyber threat analysis techniques based on big data or machine learning are required for effective security control and threat analysis. Also, correlation analysis with Cyber Threat Intelligence (CTI) that occurred in the past enables high level analysis of intrusion intent as well as preemptive response. Therefore, approach to autonomous alert correlation methods using machine learning algorithm such as Bayesian network, Hidden Markov Model (HMM), Support Vector Machine (SVM) and neural network are studied for threat analysis recently. In this paper, we propose analysis method for alerts generated by Security Information and Event Management system (SIEM) in two parts. In the first part, we apply Bayesian network to generate attack scenario and infer intent of the intrusion. We define the causality of alerts generated by SIEMs through alert correlation algorithm based on Bayesian network. This facilitates identification of the invasion pathway as well as prediction of the next attack. In the second part, we employed Diamond model to the generated attack scenarios for threat analysis using CTI. Rather than merely plotting an attack graph, it applies the Diamond model to the attack graph based on the cyber kill chain, allowing the analyst to identify more information at a glance. In order to apply Diamond model, we expanded features of each attack such as asset information of the system or vulnerabilities. Accordingly, each attack scenario could be reconstructed as CTI format and compared with threats occurred in the past. Therefore, we demonstrated the feasibility of successful identification and rapid response of the overall attack situation.
AB - Information security has gathered great attention leading to a variety of network sensors and Intrusion Detection Systems (IDS), generating numerous threat events. Large number of threat events are difficult to be managed by passive countermeasures of security manpower, lacking in prompt situation recognition and preemptive responses. Therefore, automated cyber threat analysis techniques based on big data or machine learning are required for effective security control and threat analysis. Also, correlation analysis with Cyber Threat Intelligence (CTI) that occurred in the past enables high level analysis of intrusion intent as well as preemptive response. Therefore, approach to autonomous alert correlation methods using machine learning algorithm such as Bayesian network, Hidden Markov Model (HMM), Support Vector Machine (SVM) and neural network are studied for threat analysis recently. In this paper, we propose analysis method for alerts generated by Security Information and Event Management system (SIEM) in two parts. In the first part, we apply Bayesian network to generate attack scenario and infer intent of the intrusion. We define the causality of alerts generated by SIEMs through alert correlation algorithm based on Bayesian network. This facilitates identification of the invasion pathway as well as prediction of the next attack. In the second part, we employed Diamond model to the generated attack scenarios for threat analysis using CTI. Rather than merely plotting an attack graph, it applies the Diamond model to the attack graph based on the cyber kill chain, allowing the analyst to identify more information at a glance. In order to apply Diamond model, we expanded features of each attack such as asset information of the system or vulnerabilities. Accordingly, each attack scenario could be reconstructed as CTI format and compared with threats occurred in the past. Therefore, we demonstrated the feasibility of successful identification and rapid response of the overall attack situation.
KW - Alert correlation
KW - Cyber threat analysis
KW - Cyber threat intelligence
KW - Diamond model
UR - http://www.scopus.com/inward/record.url?scp=85069990324&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85069990324
T3 - European Conference on Information Warfare and Security, ECCWS
SP - 444
EP - 450
BT - Proceedings of the 18th European Conference on Cyber Warfare and Security, ECCWS 2019
A2 - Cruz, Tiago
A2 - Simoes, Paulo
PB - Curran Associates Inc.
T2 - 18th European Conference on Cyber Warfare and Security, ECCWS 2019
Y2 - 4 July 2019 through 5 July 2019
ER -