OMADM: Online Multi-step Attack Detection Method

Network Intrusion detection systems (NIDS) have become an important and essential part of computer networks, and increase the security of them. Traditional NIDS, despite their advantages, have some disadvantages such as: producing high amounts of alerts that are low-level, mixing true alerts with false alerts, inability to find a logical connection between alerts for detecting novel and multi-step attacks, and Managing and detecting alerts in an offline mode. As a result, it isdifficult for human users and intrusion response systems to understand the alerts and takes properactions on time. A new kind of attacks that NIDS has some weaknesses for detecting them, are multistep attacks. In this kind of attacks, the attacker runs the attack based on a pre-designed scenario and in separate steps; each of these steps has a logical connection with other steps. In this paper, we proposean online multi-step attack detection method (OMADM) based on prerequisites and consequences of the attacks. In OMADM method, the alerts are processed in an online mode, and the attack scenarios will be generated in an online mode. To evaluate and make sure the accuracy for this method andvalidating OMADM, we implement an online multi-step attack detection tool (OMADT), a prototypeof OMADM, and evaluate OMADM with DARPA 2000 and a collected dataset that includes some attack scenarios. Each attack scenario in our dataset has different models. Our experiment demonstrates the accuracy, speed, and the high ability of this method in alert correlation and detecting online multi-step attacks and generating online attack scenarios