Investigating the Impact of Sink State Merging on Alert-Driven Attack Graphs: The effects of allowing the sink states to merge with other sink states

This research paper focuses on the complex domain of alert-driven attack graphs. SAGE is a tool which generates such attack graphs (AGs) by using a suffix-based probabilistic deterministic finite automaton (S-PDFA). One of the substantial properties of this algorithm is to detect infrequent severe alerts while maintaining the context of attacks...

Investigating the impact of PDFA implementation on alert-driven attack graphs: A comparison between the Suffix-based PDFA and PDFA models

SAGE is a deterministic and unsupervised learning pipeline that can generate attack graphs from intrusion alerts without input knowledge from a security analyst. Using a suffix-based probabilistic deterministic finite automaton (S-PDFA), the system compresses over 1 million alerts into less than 500 attack graphs (AGs), which are concise and...

Investigating Episode Prioritisation in Alert-Driven Attack Graphs: Analysing PICA: A Novel Approach to Episode Prioritisation

Intrusion Detection Systems (IDSes) detect malicious traffic in computer networks and generate a large volume of alerts, which cannot be processed manually. SAGE is a deterministic algorithm that works without a priori network/expert knowledge and can compress these alerts into attack graphs (AGs), modelling intruders’ paths in the network....

Investigating the modeling assumptions of alert-driven attack graphs: A cognitive load-based quantification approach of interpretability in attack graphs

The interpretability of an attack graph is a key principle as it reflects the difficulty of a specialist to take insights into attacker strategies. However, the quantification of interpretability is considered to be a subjective manner and complex attack graphs can be challenging to read and interpret. In this research paper, we propose a new...

Investigating the Impact of Merging Sink States on Alert-Driven Attack Graphs: The effects of merging sink states with other sink states and the core of the S-PDFA

SAGE is an unsupervised sequence learning pipeline that generates alert-driven attack graphs (AGs) without the need for prior expert knowledge about existing vulnerabilities and network topology. Using a suffix-based probabilistic deterministic finite automaton (S-PDFA), it accentuates infrequent high-severity alerts without discarding frequent...

Robust Attack Graphs

Every day, Intrusion Detection Systems around the world generate huge amounts of data. This data can be used to learn attacker behaviour, such as Techniques, Tactics, and Procedures (TTPs). Attack Graphs (AGs) provide a visual way of describing these attack patterns. They can be generated without expert knowledge and vulnerability reports. The...

Alert-driven Attack Graph Generation using S-PDFA

Ideal cyber threat intelligence (CTI) includes insights into attacker strategies that are specific to a network under observation. Such CTI currently requires extensive expert input for obtaining, assessing, and correlating system vulnerabilities into a graphical representation, often referred to as an attack graph (AG). Instead of deriving AGs...

Quantitative Risk Assessment of Cyber Attacks on Cyber-Physical Systems using Attack Graphs

Over the past decade, the number of cyber attack incidents targeting critical infrastructures such as the electrical power system has increased. To assess the risk of cyber attacks on the cyber-physical system, a holistic approach is needed that considers both system layers. However, the existing risk assessment methods are either qualitative in...

Risk Assessment of Cyber Attacks on Cyber-Physical Power Systems: A Quantitative Analysis using Attack Graphs

Power grids rely on Operational Technology (OT) networks, for real-time monitoring and control. These traditionally segregated systems are now being integrated with general-purpose Information and Communication Technologies (ICTs). The coupling of the physical power system and its communications infrastructure forms a complex, interdependent...

Enabling Visual Analytics via Alert-driven Attack Graphs

Attack graphs (AG) are a popular area of research that display all the paths an attacker can exploit to penetrate a network. Existing techniques for AG generation rely heavily on expert input regarding vulnerabilities and network topology. In this work, we advocate the use of AGs that are built directly using the actions observed through...

Bayesian Network Models in Cyber Security: A Systematic Review

Bayesian Networks (BNs) are an increasingly popular modelling technique in cyber security especially due to their capability to overcome data limitations. This is also instantiated by the growth of BN models development in cyber security. However, a comprehensive comparison and analysis of these models is missing. In this paper, we conduct a...