Print Email Facebook Twitter Investigating Episode Prioritisation in Alert-Driven Attack Graphs Title Investigating Episode Prioritisation in Alert-Driven Attack Graphs: Analysing PICA: A Novel Approach to Episode Prioritisation Author Van den Broeck, Senne (TU Delft Electrical Engineering, Mathematics and Computer Science) Contributor Verwer, S.E. (mentor) Nadeem, A. (mentor) Katsifodimos, A (graduation committee) Degree granting institution Delft University of Technology Programme Computer Science and Engineering Project CSE3000 Research Project Date 2023-06-28 Abstract Intrusion Detection Systems (IDSes) detect malicious traffic in computer networks and generate a large volume of alerts, which cannot be processed manually. SAGE is a deterministic algorithm that works without a priori network/expert knowledge and can compress these alerts into attack graphs (AGs), modelling intruders’ paths in the network. These AGs are too high in quantity/complexity for manual analysis, creating the necessity for prioritising individual attack stages (ASes). The existing prioritisation metric does not take into account graph properties and is not granular enough to function on a node level. We propose PICA, an urgency metric inspired by the CIA triad (Confidentiality, Integrity and Availability) and the graph properties. It works on a node level and an attack-stage level. PICA is evaluated by comparison with the current implementation, based on AGs generated by SAGE using open-source intrusion alert datasets. The evaluation is based on the number and the type of the discovered attack stages. Results show that PICA manages to discover ASes that contain nodes with a highin-degree but fails at discovering urgent ASes that contain many nodes with low in-degrees. Compared to the baseline, the ASes are distributed more evenly over the different urgency levels. Analysis of urgent node positioning revealed that sub-AGs lose information when objectives (final goal in a path) are also starting nodes. Changing the weights of the CIA triad showed a clear bias in results towards the larger weights, as was intended. Finally, further work is proposed for PICA and in the generation process of SAGE’s AGs. Subject SAGEAttack GraphsUrgencyPrioritisationNetwork Security To reference this document use: http://resolver.tudelft.nl/uuid:4bd5969b-dd1b-40fd-916f-e24fe299e0aa Part of collection Student theses Document type bachelor thesis Rights © 2023 Senne Van den Broeck Files PDF Senne_Van_den_Broeck_RP_Paper.pdf 1.77 MB Close viewer /islandora/object/uuid:4bd5969b-dd1b-40fd-916f-e24fe299e0aa/datastream/OBJ/view