Browse reports by year:
[ ALL 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 ]
Browse report authors:
[ ALL A B C D E F G H I J K L M N O P Q R S T U V W X Y Z ]
Browse reports by title:
[ ALL A B C D E F G H I J K L M N O P Q R S T U V W X Y Z ]

University of Minnesota - Computer Science and Engineering Technical Report Abstract

A Multi-Step Framework for Detecting Attack Scenarios

Report Number: 06-004
Date of Submission: 2/21/2006

Authors:
   
   
   
   
   
   
   
   
   
   

View Report:
   PDF format

Abstract:

With growing dependence upon interconnected networks, defending these networks against intrusions is becoming increasingly important. In the case of attacks that are composed of multiple steps, detecting the entire attack scenario is of vital importance. In this paper, we propose an analysis framework that is able to detect these scenarios with little predefined information. The core of the system is the decomposition of the analysis into two steps: first detecting a few events in the attack with high confidence, and second, expanding from these events to determine the remainder of the events in the scenario. Our experiments show that we can accurately identify the majority of the steps contained within the attack scenario with relatively few false positives. Our framework can handle sophisticated attacks that are highly distributed, try to avoid standard pre-defined attack patterns, use cover traffic or "noisy" attacks to distract analysts and draw attention away from the true attack, and attempt to avoid detection by signature-based schemes through the use of novel exploits or mutation engines.