A Multi-Step Framework for Detecting Attack Scenarios Mark Shaneck, Varun Chandola, Haiyang Liu, Changho Choi, Gy¨ orgy Simon, Eric Eilertson, Yongdae Kim, Zhi-Li Zhang, Jaideep Srivastava, Vipin Kumar University of Minnesota - Twin Cities {shaneck, chandola, hliu, choi, gsimon, eric, kyd, zhzhang, srivasta, kumar}@cs.umn.edu Abstract. With growing dependence upon interconnected networks, defending these networks against intrusions is becoming increasingly important. In the case of attacks that are composed of multiple steps, detecting the entire attack scenario is of vital importance. In this paper, we propose an analysis framework that is able to detect these scenarios with little predefined information. The core of the system is the decomposition of the analysis into two steps: first detecting a few events in the attack with high confidence, and second, expanding from these events to determine the remainder of the events in the scenario. Our experiments show that we can accurately identify the majority of the steps contained within the attack scenario with relatively few false positives. Our framework can handle sophisticated attacks that are highly distributed, try to avoid standard pre-defined attack patterns, use cover traffic or “noisy” attacks to distract analysts and draw attention away from the true attack, and attempt to avoid detection by signature- based schemes through the use of novel exploits or mutation engines. Keywords Intrusion Detection, Attack Scenarios, False Alarms, Missed Attacks 1 Introduction As the threat of attacks by network intruders increases, it is important to correctly iden- tify and detect these attacks. However, network attacks are frequently composed of multiple steps, and it is desirable to detect all of these steps together, as it 1) gives more confi dence to the analyst that the detected attack is real, 2) enables the analyst to more fully determine the effects of the attack, and 3) enables the analyst to be better able to determine the appropriate action that needs to be taken. Traditional IDSs face a major problem in dealing with these multi-step attacks, in that they are designed to de- tect single events contained within the attack, and are unable to determine relationships between these events. Many alert correlation techniques have been proposed to address this issue by de- termining higher level attack scenarios [4, 6, 24, 27, 34]. However, if the data that is being protected by the network is highly valuable, an attacker can spend more time, money, and effort to make his attacks more sophisticated in order to bypass the se- curity measures and avoid detection. Attackers, then, may use techniques to prevent their attacks from being reconstructed, such as making their attacks highly distributed; avoiding standard pre-defined attack patterns; using cover traffic or “noisy” attacks to distract analysts and draw attention away from the true attack; and attempting to avoid