Print Email Facebook Twitter Real-time attack graph generation using intrusion alerts Title Real-time attack graph generation using intrusion alerts Author Băbălău, Ion (TU Delft Electrical Engineering, Mathematics and Computer Science) Contributor Verwer, S.E. (mentor) Nadeem, A. (mentor) Kooij, Robert (graduation committee) Degree granting institution Delft University of Technology Programme Computer Science | Cyber Security Date 2023-11-30 Abstract In an era where cyber threats evolve with alarming speed and sophistication, the role of Security Operation Centers (SOCs) has become increasingly pivotal in safeguarding digital infrastructures. SOCs serve as the frontline defence against malicious entities, where they continuously monitor and analyze network traffic, as well as the activity of users and systems for potential threats. The rapid growth of advanced cyber-attacks has amplified the reliance on Intrusion Detection Systems (IDS) to generate alerts for anomalous activities, and on SOC analysts to analyze those alerts. However, these systems often yield an overwhelming number of alerts, many of which are false positives, leading to alert fatigue among analysts. The scarcity of effective visualization tools, coupled with the analysts' dependence on manual investigation and correlation of events aggravates this issue, resulting in extended alert analysis times. Moreover, the number of attack scenarios keeps increasing daily, making it difficult to understand the possible next actions of an attacker and apply preventive measures.This thesis introduces an innovative approach to aid SOC analysts in managing the large influx of alerts, mitigating alert fatigue, and enhancing the efficiency of threat identification and response. We present an attack prediction tool with alert visualization capabilities that produces real-time attack graphs, summarizing the alerts associated with a specific host. Our method utilizes a Suffix-based Probabilistic Deterministic Finite Automaton (SPDFA) to predict future attacker actions, promoting a proactive defence strategy, and achieving an accuracy of 33.71 %. We validate the practicality and relevance of our contributions through interviews with six security experts, confirming the utility of our methods in a live SOC context. Furthermore, we demonstrate the applicability of our approach by testing it with three datasets collected in the real world. Our work stands apart by simultaneously addressing alert correlation, attack visualization, and predictive modelling of attacker behaviour. Subject Attack GraphsAttack PredictionAutomata To reference this document use: http://resolver.tudelft.nl/uuid:8c398cd2-c75c-4529-bcad-e6c8236ed54c Part of collection Student theses Document type master thesis Rights © 2023 Ion Băbălău Files PDF Ion_Babalau_MSC_thesis.pdf 4.29 MB Close viewer /islandora/object/uuid:8c398cd2-c75c-4529-bcad-e6c8236ed54c/datastream/OBJ/view