An Attack Scenario Reconstruction Approach Using Alerts Correlation and a Dynamic Attack Graph

Targeted attacks have recently emerged as one of the most serious threats to governments and organizations. Of these, the advanced persistent threat (APT) is currently one of the most critical implications for information security. An APT attack collects data from a given target over time by exploiting vulnerabilities with a variety of attack approaches. As a result, guaranteeing cybersecurity in network systems is an important challenge to ensure the functionality of existing infrastructure. This work proposes an effective solution, adaptive and intelligent advanced persistent threat detection (AIAPTD), which can accurately and rapidly detect and predict APT attacks. We designed a distributed correlation model that correlates abnormal behaviors to detect sophisticated attacks. In addition, we developed an APT attack path graph (APT-APG) to reveal the system security situation by modeling dynamic attack information alongside system configuration vulnerabilities. The results demonstrate that the model can correlate network alerts with homogeneity rates as high as 99%; it can also reveal behavioral patterns quickly, using a detailed and informative attack graph that comprehensively overviews all attack movements and allows defenders to reconstruct relations between events to better understand their system's current situation.