Mining Attack Strategy

Abstract

Ever since the invention of the Internet, more and more computers are connected throughout the world. Though this has brought numerous new inventions used every day, like social media, e-commerce, and video conferencing, it also opens up new opportunities for cyber criminals. As the intrusion detection systems used to identify malicious behavior in a computer network can generate large amounts of alerts, methods have been developed to aid security analysts in gaining insights into what is happening on the network. Of course, there is always room to improve these methods, which is the topic of this thesis. Currently, one of the state-of-the-art methods uses state machines to model the alert sequences. State machines are a good fit as they can extract the context of different alerts, but they cannot extract information like parallelism between different alerts. That is where field process mining comes in, with process mining algorithms being able to extract parallelism from sequential data. In this thesis, state-of-the-art algorithms from process mining are evaluated for modeling alert datasets from intrusion detection systems with the aim of improving the current methods. As a comparison, different methods for learning state machines also tested for the same data. The results of the evaluation and comparison show that the state machines perform better in modeling the alert datasets with respect to explaining the data. On the other hand, thee process mining algorithms were not able to construct sound models for the datasets, and a fourth mining algorithm gave false implications about the data. Furthermore, the possibility of combining state machines with process mining was also tested, with the idea that the combination can use the state machines to extract context and the process miner to extract parallelism. This method did not yield any improvements for the alert datasets tested, but that does not mean it is not viable in other cases.