An Iterative Alert Correlation Method for Extracting Network Intrusion Scenarios

Alert correlation aims to provide an abstract and high-level view of environment security state, as one can extract attack strategies from raw intrusion alerts. Mostexisting alert correlation approaches depend on either expert knowledge or predefined patterns for detecting complex attack steps. In this paper we provide a Bayesian network based alertcorrelation approach that is able to discover attack strategies without need to expert knowledge. The main goal of this workis extracting attack scenarios, with taking into account the sequence of actions. We also try to eliminate redundantrelationships in a detected attack scenario. The experimental evaluation using the well-known DARPA 2000 data set shows the efficiency of our proposed approach in extracting theintrusion scenarios