Enabling Visual Analytics via Alert-driven Attack Graphs

A. Nadeem; S.E. Verwer; Stephen Moskal; Shanchieh Jay Yang

doi:10.1145/3460120.3485361

Enabling Visual Analytics via Alert-driven Attack Graphs

A. Nadeem, S.E. Verwer, Stephen Moskal, Shanchieh Jay Yang

Cyber Security

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

5 Citations (Scopus)

129 Downloads (Pure)

Abstract

Attack graphs (AG) are a popular area of research that display all the paths an attacker can exploit to penetrate a network. Existing techniques for AG generation rely heavily on expert input regarding vulnerabilities and network topology. In this work, we advocate the use of AGs that are built directly using the actions observed through intrusion alerts, without prior expert input. We have developed an unsupervised visual analytics system, called SAGE, to learn alert-driven attack graphs. We show how these AGs (i) enable forensic analysis of prior attacks, and (ii) enable proactive defense by providing relevant threat intelligence regarding attacker strategies. We believe that alert-driven AGs can play a key role in AI-enabled cyber threat intelligence as they open up new avenues for attacker strategy analysis whilst reducing analyst workload.

Original language	English
Title of host publication	CCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery (ACM)
Pages	2420-2422
Number of pages	3
ISBN (Print)	978-1-4503-8454-4
DOIs	https://doi.org/10.1145/3460120.3485361
Publication status	Published - 2021
Event	ACM SIGSAC Conference on Computer and Communications Security - Virtual Duration: 15 Nov 2021 → 19 Nov 2021 https://www.sigsac.org/ccs/CCS2021/

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	ACM SIGSAC Conference on Computer and Communications Security
Abbreviated title	CCS
Period	15/11/21 → 19/11/21
Internet address	https://www.sigsac.org/ccs/CCS2021/

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care

Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

Attack graphs
Intrusion alerts
Finite state automaton
attack graphs
finite state automaton
intrusion alerts

Access to Document

10.1145/3460120.3485361

3460120.3485361 (1)Final published version, 2.23 MB

Cite this

Nadeem, A., Verwer, S. E., Moskal, S., & Yang, S. J. (2021). Enabling Visual Analytics via Alert-driven Attack Graphs. In CCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (pp. 2420-2422). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery (ACM). https://doi.org/10.1145/3460120.3485361

@inproceedings{66025049d0594a1ab9714474736f40f0,

title = "Enabling Visual Analytics via Alert-driven Attack Graphs",

abstract = "Attack graphs (AG) are a popular area of research that display all the paths an attacker can exploit to penetrate a network. Existing techniques for AG generation rely heavily on expert input regarding vulnerabilities and network topology. In this work, we advocate the use of AGs that are built directly using the actions observed through intrusion alerts, without prior expert input. We have developed an unsupervised visual analytics system, called SAGE, to learn alert-driven attack graphs. We show how these AGs (i) enable forensic analysis of prior attacks, and (ii) enable proactive defense by providing relevant threat intelligence regarding attacker strategies. We believe that alert-driven AGs can play a key role in AI-enabled cyber threat intelligence as they open up new avenues for attacker strategy analysis whilst reducing analyst workload.",

keywords = "Attack graphs, Intrusion alerts, Finite state automaton, attack graphs, finite state automaton, intrusion alerts",

author = "A. Nadeem and S.E. Verwer and Stephen Moskal and Yang, {Shanchieh Jay}",

note = "Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.; ACM SIGSAC Conference on Computer and Communications Security, CCS ; Conference date: 15-11-2021 Through 19-11-2021",

year = "2021",

doi = "10.1145/3460120.3485361",

language = "English",

isbn = "978-1-4503-8454-4",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery (ACM)",

pages = "2420--2422",

booktitle = "CCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security",

address = "United States",

url = "https://www.sigsac.org/ccs/CCS2021/",

}

Nadeem, A , Verwer, SE, Moskal, S & Yang, SJ 2021, Enabling Visual Analytics via Alert-driven Attack Graphs. in CCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery (ACM), pp. 2420-2422, ACM SIGSAC Conference on Computer and Communications Security, 15/11/21. https://doi.org/10.1145/3460120.3485361

Enabling Visual Analytics via Alert-driven Attack Graphs. / Nadeem, A.; Verwer, S.E.; Moskal, Stephen et al.
CCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery (ACM), 2021. p. 2420-2422 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Enabling Visual Analytics via Alert-driven Attack Graphs

AU - Nadeem, A.

AU - Verwer, S.E.

AU - Moskal, Stephen

AU - Yang, Shanchieh Jay

N1 - Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

PY - 2021

Y1 - 2021

N2 - Attack graphs (AG) are a popular area of research that display all the paths an attacker can exploit to penetrate a network. Existing techniques for AG generation rely heavily on expert input regarding vulnerabilities and network topology. In this work, we advocate the use of AGs that are built directly using the actions observed through intrusion alerts, without prior expert input. We have developed an unsupervised visual analytics system, called SAGE, to learn alert-driven attack graphs. We show how these AGs (i) enable forensic analysis of prior attacks, and (ii) enable proactive defense by providing relevant threat intelligence regarding attacker strategies. We believe that alert-driven AGs can play a key role in AI-enabled cyber threat intelligence as they open up new avenues for attacker strategy analysis whilst reducing analyst workload.

AB - Attack graphs (AG) are a popular area of research that display all the paths an attacker can exploit to penetrate a network. Existing techniques for AG generation rely heavily on expert input regarding vulnerabilities and network topology. In this work, we advocate the use of AGs that are built directly using the actions observed through intrusion alerts, without prior expert input. We have developed an unsupervised visual analytics system, called SAGE, to learn alert-driven attack graphs. We show how these AGs (i) enable forensic analysis of prior attacks, and (ii) enable proactive defense by providing relevant threat intelligence regarding attacker strategies. We believe that alert-driven AGs can play a key role in AI-enabled cyber threat intelligence as they open up new avenues for attacker strategy analysis whilst reducing analyst workload.

KW - Attack graphs

KW - Intrusion alerts

KW - Finite state automaton

KW - attack graphs

KW - finite state automaton

KW - intrusion alerts

UR - http://www.scopus.com/inward/record.url?scp=85119383217&partnerID=8YFLogxK

U2 - 10.1145/3460120.3485361

DO - 10.1145/3460120.3485361

M3 - Conference contribution

SN - 978-1-4503-8454-4

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 2420

EP - 2422

BT - CCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery (ACM)

T2 - ACM SIGSAC Conference on Computer and Communications Security

Y2 - 15 November 2021 through 19 November 2021

ER -

Enabling Visual Analytics via Alert-driven Attack Graphs

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Alert-driven Attack Graph Generation using S-PDFA

SAGE: Intrusion Alert-driven Attack Graph Extractor

Cite this