Alert-driven Attack Graph Generation using S-PDFA

Ideal cyber threat intelligence (CTI) includes insights into attacker strategies that are specific to a network under observation. Such CTI currently requires extensive expert input for obtaining, assessing, and correlating system vulnerabilities graphical representation, often referred as an attack graph (AG). Instead of deriving AGs based on vulnerabilities, this work advocates the direct use intrusion alerts. We propose SAGE, explainable sequence learning pipeline automatically constructs from alerts without priori knowledge. SAGE exploits temporal probabilistic dependence between in suffix-based deterministic finite automaton (S-PDFA)-a model brings infrequent severe spotlight summarizes paths leading them. Attack graphs extracted per-victim, per-objective basis. is thoroughly evaluated three open-source alert datasets collected through security testing competitions order analyze distributed multi-stage attacks. compresses over 330k 93 show how attacks transpired. The succinct, interpretable, provide directly relevant strategic differences fingerprintable paths. They even attackers tend follow shorter after they have discovered longer one 84.5% cases.