Alert correlation using diamond model for cyber threat intelligence

Youngsup Shin, Changwan Lim, Mookyu Park, Sungyoung Cho, Insung Han, Haengrok Oh, Kyung Ho Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Information security has gathered great attention leading to a variety of network sensors and Intrusion Detection Systems (IDS), generating numerous threat events. Large number of threat events are difficult to be managed by passive countermeasures of security manpower, lacking in prompt situation recognition and preemptive responses. Therefore, automated cyber threat analysis techniques based on big data or machine learning are required for effective security control and threat analysis. Also, correlation analysis with Cyber Threat Intelligence (CTI) that occurred in the past enables high level analysis of intrusion intent as well as preemptive response. Therefore, approach to autonomous alert correlation methods using machine learning algorithm such as Bayesian network, Hidden Markov Model (HMM), Support Vector Machine (SVM) and neural network are studied for threat analysis recently. In this paper, we propose analysis method for alerts generated by Security Information and Event Management system (SIEM) in two parts. In the first part, we apply Bayesian network to generate attack scenario and infer intent of the intrusion. We define the causality of alerts generated by SIEMs through alert correlation algorithm based on Bayesian network. This facilitates identification of the invasion pathway as well as prediction of the next attack. In the second part, we employed Diamond model to the generated attack scenarios for threat analysis using CTI. Rather than merely plotting an attack graph, it applies the Diamond model to the attack graph based on the cyber kill chain, allowing the analyst to identify more information at a glance. In order to apply Diamond model, we expanded features of each attack such as asset information of the system or vulnerabilities. Accordingly, each attack scenario could be reconstructed as CTI format and compared with threats occurred in the past. Therefore, we demonstrated the feasibility of successful identification and rapid response of the overall attack situation.

Original languageEnglish
Title of host publicationProceedings of the 18th European Conference on Cyber Warfare and Security, ECCWS 2019
EditorsTiago Cruz, Paulo Simoes
PublisherCurran Associates Inc.
Pages444-450
Number of pages7
ISBN (Electronic)9781912764280
Publication statusPublished - 2019 Jan 1
Event18th European Conference on Cyber Warfare and Security, ECCWS 2019 - Coimbra, Portugal
Duration: 2019 Jul 42019 Jul 5

Publication series

NameEuropean Conference on Information Warfare and Security, ECCWS
Volume2019-July
ISSN (Print)2048-8602
ISSN (Electronic)2048-8610

Conference

Conference18th European Conference on Cyber Warfare and Security, ECCWS 2019
CountryPortugal
CityCoimbra
Period19/7/419/7/5

Fingerprint

Bayesian networks
Diamonds
Learning systems
Correlation methods
Intrusion detection
Hidden Markov models
Security of data
Learning algorithms
Sensor networks
Support vector machines
Neural networks
Threat
Diamond model
Attack

Keywords

  • Alert correlation
  • Cyber threat analysis
  • Cyber threat intelligence
  • Diamond model

ASJC Scopus subject areas

  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Cite this

Shin, Y., Lim, C., Park, M., Cho, S., Han, I., Oh, H., & Lee, K. H. (2019). Alert correlation using diamond model for cyber threat intelligence. In T. Cruz, & P. Simoes (Eds.), Proceedings of the 18th European Conference on Cyber Warfare and Security, ECCWS 2019 (pp. 444-450). (European Conference on Information Warfare and Security, ECCWS; Vol. 2019-July). Curran Associates Inc..

Alert correlation using diamond model for cyber threat intelligence. / Shin, Youngsup; Lim, Changwan; Park, Mookyu; Cho, Sungyoung; Han, Insung; Oh, Haengrok; Lee, Kyung Ho.

Proceedings of the 18th European Conference on Cyber Warfare and Security, ECCWS 2019. ed. / Tiago Cruz; Paulo Simoes. Curran Associates Inc., 2019. p. 444-450 (European Conference on Information Warfare and Security, ECCWS; Vol. 2019-July).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Shin, Y, Lim, C, Park, M, Cho, S, Han, I, Oh, H & Lee, KH 2019, Alert correlation using diamond model for cyber threat intelligence. in T Cruz & P Simoes (eds), Proceedings of the 18th European Conference on Cyber Warfare and Security, ECCWS 2019. European Conference on Information Warfare and Security, ECCWS, vol. 2019-July, Curran Associates Inc., pp. 444-450, 18th European Conference on Cyber Warfare and Security, ECCWS 2019, Coimbra, Portugal, 19/7/4.
Shin Y, Lim C, Park M, Cho S, Han I, Oh H et al. Alert correlation using diamond model for cyber threat intelligence. In Cruz T, Simoes P, editors, Proceedings of the 18th European Conference on Cyber Warfare and Security, ECCWS 2019. Curran Associates Inc. 2019. p. 444-450. (European Conference on Information Warfare and Security, ECCWS).
Shin, Youngsup ; Lim, Changwan ; Park, Mookyu ; Cho, Sungyoung ; Han, Insung ; Oh, Haengrok ; Lee, Kyung Ho. / Alert correlation using diamond model for cyber threat intelligence. Proceedings of the 18th European Conference on Cyber Warfare and Security, ECCWS 2019. editor / Tiago Cruz ; Paulo Simoes. Curran Associates Inc., 2019. pp. 444-450 (European Conference on Information Warfare and Security, ECCWS).
@inproceedings{468ccbcf75d04cdd8245a6bc4e63f571,
title = "Alert correlation using diamond model for cyber threat intelligence",
abstract = "Information security has gathered great attention leading to a variety of network sensors and Intrusion Detection Systems (IDS), generating numerous threat events. Large number of threat events are difficult to be managed by passive countermeasures of security manpower, lacking in prompt situation recognition and preemptive responses. Therefore, automated cyber threat analysis techniques based on big data or machine learning are required for effective security control and threat analysis. Also, correlation analysis with Cyber Threat Intelligence (CTI) that occurred in the past enables high level analysis of intrusion intent as well as preemptive response. Therefore, approach to autonomous alert correlation methods using machine learning algorithm such as Bayesian network, Hidden Markov Model (HMM), Support Vector Machine (SVM) and neural network are studied for threat analysis recently. In this paper, we propose analysis method for alerts generated by Security Information and Event Management system (SIEM) in two parts. In the first part, we apply Bayesian network to generate attack scenario and infer intent of the intrusion. We define the causality of alerts generated by SIEMs through alert correlation algorithm based on Bayesian network. This facilitates identification of the invasion pathway as well as prediction of the next attack. In the second part, we employed Diamond model to the generated attack scenarios for threat analysis using CTI. Rather than merely plotting an attack graph, it applies the Diamond model to the attack graph based on the cyber kill chain, allowing the analyst to identify more information at a glance. In order to apply Diamond model, we expanded features of each attack such as asset information of the system or vulnerabilities. Accordingly, each attack scenario could be reconstructed as CTI format and compared with threats occurred in the past. Therefore, we demonstrated the feasibility of successful identification and rapid response of the overall attack situation.",
keywords = "Alert correlation, Cyber threat analysis, Cyber threat intelligence, Diamond model",
author = "Youngsup Shin and Changwan Lim and Mookyu Park and Sungyoung Cho and Insung Han and Haengrok Oh and Lee, {Kyung Ho}",
year = "2019",
month = "1",
day = "1",
language = "English",
series = "European Conference on Information Warfare and Security, ECCWS",
publisher = "Curran Associates Inc.",
pages = "444--450",
editor = "Tiago Cruz and Paulo Simoes",
booktitle = "Proceedings of the 18th European Conference on Cyber Warfare and Security, ECCWS 2019",

}

TY - GEN

T1 - Alert correlation using diamond model for cyber threat intelligence

AU - Shin, Youngsup

AU - Lim, Changwan

AU - Park, Mookyu

AU - Cho, Sungyoung

AU - Han, Insung

AU - Oh, Haengrok

AU - Lee, Kyung Ho

PY - 2019/1/1

Y1 - 2019/1/1

N2 - Information security has gathered great attention leading to a variety of network sensors and Intrusion Detection Systems (IDS), generating numerous threat events. Large number of threat events are difficult to be managed by passive countermeasures of security manpower, lacking in prompt situation recognition and preemptive responses. Therefore, automated cyber threat analysis techniques based on big data or machine learning are required for effective security control and threat analysis. Also, correlation analysis with Cyber Threat Intelligence (CTI) that occurred in the past enables high level analysis of intrusion intent as well as preemptive response. Therefore, approach to autonomous alert correlation methods using machine learning algorithm such as Bayesian network, Hidden Markov Model (HMM), Support Vector Machine (SVM) and neural network are studied for threat analysis recently. In this paper, we propose analysis method for alerts generated by Security Information and Event Management system (SIEM) in two parts. In the first part, we apply Bayesian network to generate attack scenario and infer intent of the intrusion. We define the causality of alerts generated by SIEMs through alert correlation algorithm based on Bayesian network. This facilitates identification of the invasion pathway as well as prediction of the next attack. In the second part, we employed Diamond model to the generated attack scenarios for threat analysis using CTI. Rather than merely plotting an attack graph, it applies the Diamond model to the attack graph based on the cyber kill chain, allowing the analyst to identify more information at a glance. In order to apply Diamond model, we expanded features of each attack such as asset information of the system or vulnerabilities. Accordingly, each attack scenario could be reconstructed as CTI format and compared with threats occurred in the past. Therefore, we demonstrated the feasibility of successful identification and rapid response of the overall attack situation.

AB - Information security has gathered great attention leading to a variety of network sensors and Intrusion Detection Systems (IDS), generating numerous threat events. Large number of threat events are difficult to be managed by passive countermeasures of security manpower, lacking in prompt situation recognition and preemptive responses. Therefore, automated cyber threat analysis techniques based on big data or machine learning are required for effective security control and threat analysis. Also, correlation analysis with Cyber Threat Intelligence (CTI) that occurred in the past enables high level analysis of intrusion intent as well as preemptive response. Therefore, approach to autonomous alert correlation methods using machine learning algorithm such as Bayesian network, Hidden Markov Model (HMM), Support Vector Machine (SVM) and neural network are studied for threat analysis recently. In this paper, we propose analysis method for alerts generated by Security Information and Event Management system (SIEM) in two parts. In the first part, we apply Bayesian network to generate attack scenario and infer intent of the intrusion. We define the causality of alerts generated by SIEMs through alert correlation algorithm based on Bayesian network. This facilitates identification of the invasion pathway as well as prediction of the next attack. In the second part, we employed Diamond model to the generated attack scenarios for threat analysis using CTI. Rather than merely plotting an attack graph, it applies the Diamond model to the attack graph based on the cyber kill chain, allowing the analyst to identify more information at a glance. In order to apply Diamond model, we expanded features of each attack such as asset information of the system or vulnerabilities. Accordingly, each attack scenario could be reconstructed as CTI format and compared with threats occurred in the past. Therefore, we demonstrated the feasibility of successful identification and rapid response of the overall attack situation.

KW - Alert correlation

KW - Cyber threat analysis

KW - Cyber threat intelligence

KW - Diamond model

UR - http://www.scopus.com/inward/record.url?scp=85069990324&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85069990324&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85069990324

T3 - European Conference on Information Warfare and Security, ECCWS

SP - 444

EP - 450

BT - Proceedings of the 18th European Conference on Cyber Warfare and Security, ECCWS 2019

A2 - Cruz, Tiago

A2 - Simoes, Paulo

PB - Curran Associates Inc.

ER -