Cyber-Adversary Behavior Extraction and Comparisons Using IDS Alert Logs

Stephen Moskal

Computer networks are under constant threat from cyber attackers as adversaries from anywhere in the world can potentially probe, access, and exploit the network at any time. From the perspective of the defense (system administrators or IT staff) the intentions and motivations of the attacker is unknown and the defense can only observe the adversarial traffic captured by some sort of Intrusion Detection System (IDS) to respond accordingly by patching vulnerabilities and applying strict security policies. However, the complexity of network structures and the sophistication of the attacker's skills/behavior means that there are numerous ways attackers could penetrate the network making it extremely difficult to defend against all types of attackers. We propose that contained within the IDS alerts is an attack scenario describing a process of adversarial actions leading to an overarching goal which can be used to profile the adversary's behavior, compare to other observations of attackers, and generate examples of similar attack scenarios. To extract the attack actions from IDS alerts, we hypothesize that the decline in alert volume for an observable cyber-attack kill chain stage signifies the beginning of a new action and the alerts can be aggregated to represent one action. We then evaluate how the attributes of the actions transpire over the course of an attack scenario such as the source IP, target IP, attack type, and service type by defining a set of network agnostic labels called Attacker Movements and a corresponding feature set describing the history of attacker actions to compare attack attributes between attackers. As IDS alerts are not typically reflective of the actions we use data collected from the Colligate Penetration Testing Competition (CTPC) including IDS logs from multiple teams of contestants and detailed in-person team observations to capture the adversary's perspective and thought process. We recover 63% of the all observable actions performed by the adversaries and capture 4 out of the 5 critical actions leading to exploitation of an asset. Lastly we report the similarity between adversary behaviors using the Jensen-Shannon divergence of Attacker Movements comparing behaviors from the same team attacking different targets, teams with in the same competition, and teams of a similar skill level but from a previous competition. This similarity metric gives the capability of determining interesting and unique behavior profiles which can be used to assess and prevent future attacks based on previously observed behavioral patterns.