Analysis and Visualization of Large Complex Multi-Step Cyber Attack Graphs

We propose a comprehensive and innovative approach for analysis and visualization of large, complex, multi-step cyber attack graphs. First, we select the radial space-filling hierarchy visualization module for large complex multi-step cyber attack graph due to its strengths in space efficiency and ease of interpretation. Once an attack is correlated, the attack notification service retrieves the correlated alerts that comprise the attack scenario and uses it to instantiate an attack node, binding formal parameters to arguments along the way. Second, we build our plan recognition system after a low-level alert correlation step that includes alert aggregation and alert correlation. Third, we do not require a complete ordered alert sequence for inference. We have the capability of handling partial order and unobserved activity evidence sets. Fourth, we provide advanced approaches to predict potential attacks based on observed intrusion evidence. Bayesian Network based predication can incorporate prior knowledge of attack transition patterns and handle uncertainty in the correlation process. Moreover, we apply dynamic games for graph-based attack prediction and response since the integration of attack graphs and alert correlation graphs provide “perfect” knowledge about the attacker’s strategy space which is necessary to compute (Nash) equilibriums out of any mathematical game.