APIN: Automatic Attack Path Identification in Computer Networks

Identifying the scope of a network attack can be difficult with limited information about the nature of the attack. Even more difficult is the automation of this process. Because of this, it is important to investigate new methods for mapping and quantifying the threat posed by an attack, in order to prioritize actions during incident response. To this end we propose a framework for automatic attack path identification in computer networks (APIN) by leveraging observable malicious behaviors to quantify the threat score of a set of attacks. Using two academic datasets, experimental results show that APIN is able to quickly reconstruct paths that offer meaningful insight into the nature of multi-step threats on the network, given only reasonable restrictions on network size and structure. These insights would not be possible with only existing tools, such as IDSs, and human analysts would require significant time and expertise to obtain the same findings without APIN's guidance.