Scalable Detection of Cyber Attacks ⋆ Massimiliano Albanese 1 , Sushil Jajodia 1 , Andrea Pugliese 2 , and V.S. Subrahmanian 3 1 George Mason University, Fairfax, VA 22030, USA {malbanes,jajodia}@gmu.edu 2 University of Calabria, 87036 Rende (CS), Italy apugliese@deis.unical.it 3 University of Maryland, College Park, MD 20742, USA vs@umiacs.umd.edu Abstract. Attackers can exploit vulnerabilities to incrementally pene- trate a network and compromise critical systems. The enormous amount of raw security data available to analysts and the complex interdepen- dencies among vulnerabilities make manual analysis extremely labor- intensive and error-prone. To address this important problem, we build on previous work on topological vulnerability analysis, and propose an automated framework to manage very large attack graphs and moni- tor high volumes of incoming alerts for the occurrence of known attack patterns in real-time. Specifically, we propose (i) a data structure that merges multiple attack graphs and enables concurrent monitoring of mul- tiple types of attacks; (ii) an index structure that can effectively index millions of time-stamped alerts; (iii) a real-time algorithm that can pro- cess a continuous stream of alerts, update the index, and detect attack occurrences. We show that the proposed solution significantly improves the state of the art in cyber attack detection, enabling real-time attack detection. Keywords: Attack graphs, attack detection, scalability 1 Introduction An ever increasing number of critical applications and services rely today on Information Technology infrastructures, exposing companies and organizations to an elevated risk of becoming the target of cyber attacks. Attackers can exploit network configurations and vulnerabilities to incrementally penetrate a network and compromise critical systems. Most of the elementary steps of an attack are intercepted by intrusion detection systems, which generate alerts accordingly. However, such systems typically miss some events and also generate a large number of false alarms. More importantly, they cannot derive attack scenarios from individual alerts. ⋆ This material is based upon work supported by the Army Research Office under MURI grant W911NF-09-1-0525 and DURIP grant W911NF-11-1-0340.