AGCM: A multi-stage attack correlation and scenario reconstruction method based on graph aggregation

With an increase in the complexity and scale of networks, cybersecurity faces increasingly severe challenges. For instance, an attacker can combine individual attacks into complex multi-stage attacks to infiltrate targets. Traditional intrusion detection systems (IDS) generate large number of alerts during an attack, including attack clues along with many false positives. Furthermore, due to the complexity and changefulness of attacks, security analysts spend considerable time and effort on discovering attack paths. Existing methods rely on attack knowledgebases or predefined correlation rules but can only identify known attacks. To address these limitations, this paper presents an attack correlation and scenario reconstruction method. We transform the abnormal flows corresponding to the alerts into abnormal states relationship graph (ASR-graph) and automatically correlate attacks through graph aggregation and clustering. We also implemented an attack path search algorithm to mine attack paths and trace the attack process. This method does not rely on prior knowledge; thus, it can well adapt to the changed attack plan, making it effective in correlating unknown attacks and identifying attack paths. Evaluation results show that the proposed method has higher accuracy and effectiveness than existing methods.