Alert correlation for intelligent threat detection and response

With the increasing diversity of IoT devices, keeping IT systems secure is becoming increasingly difficult. Attackers exploit vulnerabilities within the system in order to access sensitive information, typically reaching their objective through several steps. Current Intrusion Detection Systems (IDSs) focus on low-level alerts, and tend to produce a high rate of false positives. This type of information alone is insufficient for the detection of sophisticated attack scenarios such Advanced Persistent Threats (APTs). Consequently, correlation techniques have recently been introduced to correlate alerts and reconstruct attack scenarios, however, various attack scenarios exist, with diverse characteristics. Also, different steps of the APTs scenarios may have their own characteristics. Therefore, finding a proper method that covers all cases remains a challenge. Moreover, after detecting APTs, how the system should respond to these attacks to avoid sabotage to the system remains a challenge. Thus, in this paper, first for detection of the attacks, we classify different cases, and then, a method based on different characteristics of attack patterns is proposed to detect APT scenarios. The proposed method consists of two main phases: APT detection and the intelligent hybrid response framework. In APT detection phase, similar alerts are aggregated and attack graphs are generated based on a similarity matrix. These graphs, combined with third party API data enable alert correlation and APT scenario detection. Entity graphs are then created to visualise host behaviour, and alert graphs are analysed to detect APT scenarios. In the response phase, attack graphs produced from the correlation inform the hybrid response framework, integrating knowledge and data-driven components that facilitate automated or recommended mitigation. The approach was evaluated on the ZeekData24 dataset. Obtained precision and recall on the malicious traffic was observed to be 96.65% and 87.04% respectively. The results show that our approach can effectively filter false positive alerts with a reduction of the data going from 10,063 alerts daily to 586 meta-alerts, pruned to 48 attack graphs and finally reduced to 20 suspicious attack graphs.