On secure networks, even sophisticated cyber hackers must perform multiple steps to implement attacks on sensitive data and critical servers hidden behind layers of firewalls. Therefore, there is a need to study these attacks at a higher multi-stage level. Traditional taxonomy of cyber attacks focuses on analyzing the final stage and overall effects of an attack but, not the characteristics of an attack movement or `trajectory' on a network.
This work proposes to investigate trajectory similarities between multi-stage attacks, allowing for the characterization of both a hacker's behavior and vulnerable attack paths within a network.
Currently, Intrusion Detection Systems (IDS) report alerts to a network analyst when a malicious activity is suspected to have occurred on a network. Previous work in this field has used IDS alerts as evidence of multi-stage attacks, and has thus been able to group correlated alerts into cyber attack tracks.
The main contribution of this work is to use a revised Longest Common Subsequence(LCS) algorithm to analyze attack tracks as trajectories. This allows a systematic analysis to determine which alert attributes within a track are of great value to the characterization of multi-stage attacks.
The basic LCS algorithm, which looks for the longest common sequence in two strings of data, is extended to support the non-uniformity of alert data using a time windowing system.
In addition, a normalization method will be applied to ensure that the attack track similarity measure is not adversely affected by differences in attack track length. By applying the revised LCS algorithm, attack trajectories defined in terms of various IDS alert attributes are analyzed. The results provide strong indicators of how multidimensional cyber attack trajectories can be used to differentiate attack tracks.
Library of Congress Subject Headings
Cyberterrorism--Research; Cyberterrorism--Data processing; Computer algorithms
Computer Engineering (MS)
Department, Program, or Center
Computer Engineering (KGCOE)
Shanchieh Jay Yang
Bean, Jordan, "CHAracterization of Relevant Attributes using Cyber Trajectory Similarities" (2009). Thesis. Rochester Institute of Technology. Accessed from
RIT – Main Campus