Alert correlation using diamond model for cyber threat intelligence

Youngsup Shin, Changwan Lim, Mookyu Park, Sungyoung Cho, Insung Han, Haengrok Oh, Kyungho Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)


Information security has gathered great attention leading to a variety of network sensors and Intrusion Detection Systems (IDS), generating numerous threat events. Large number of threat events are difficult to be managed by passive countermeasures of security manpower, lacking in prompt situation recognition and preemptive responses. Therefore, automated cyber threat analysis techniques based on big data or machine learning are required for effective security control and threat analysis. Also, correlation analysis with Cyber Threat Intelligence (CTI) that occurred in the past enables high level analysis of intrusion intent as well as preemptive response. Therefore, approach to autonomous alert correlation methods using machine learning algorithm such as Bayesian network, Hidden Markov Model (HMM), Support Vector Machine (SVM) and neural network are studied for threat analysis recently. In this paper, we propose analysis method for alerts generated by Security Information and Event Management system (SIEM) in two parts. In the first part, we apply Bayesian network to generate attack scenario and infer intent of the intrusion. We define the causality of alerts generated by SIEMs through alert correlation algorithm based on Bayesian network. This facilitates identification of the invasion pathway as well as prediction of the next attack. In the second part, we employed Diamond model to the generated attack scenarios for threat analysis using CTI. Rather than merely plotting an attack graph, it applies the Diamond model to the attack graph based on the cyber kill chain, allowing the analyst to identify more information at a glance. In order to apply Diamond model, we expanded features of each attack such as asset information of the system or vulnerabilities. Accordingly, each attack scenario could be reconstructed as CTI format and compared with threats occurred in the past. Therefore, we demonstrated the feasibility of successful identification and rapid response of the overall attack situation.

Original languageEnglish
Title of host publicationProceedings of the 18th European Conference on Cyber Warfare and Security, ECCWS 2019
EditorsTiago Cruz, Paulo Simoes
PublisherCurran Associates Inc.
Number of pages7
ISBN (Electronic)9781912764280
Publication statusPublished - 2019
Event18th European Conference on Cyber Warfare and Security, ECCWS 2019 - Coimbra, Portugal
Duration: 2019 Jul 42019 Jul 5

Publication series

NameEuropean Conference on Information Warfare and Security, ECCWS
ISSN (Print)2048-8602
ISSN (Electronic)2048-8610


Conference18th European Conference on Cyber Warfare and Security, ECCWS 2019


  • Alert correlation
  • Cyber threat analysis
  • Cyber threat intelligence
  • Diamond model

ASJC Scopus subject areas

  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'Alert correlation using diamond model for cyber threat intelligence'. Together they form a unique fingerprint.

Cite this