HAL-RD: cross-correlating heterogeneous alerts and logs using resource dependencies

Many organizations today use a variety of security and monitoring tools at various levels of defense. These tools often generate heterogeneous alerts and logs when an attack occurs. Because of the large volume and dispersion of these alerts and logs, the manual cross-correlation of them is a time-consuming and labor-intensive task. The main challenge is that heterogeneous alerts and logs generated as a result of an attack stage do not necessarily have common features, or there are no explicit relationships between them that can be used for cross-correlation. In this paper, we overcome this deficiency by presenting HAL-RD, a novel technique that uses resource dependencies to cross-correlate heterogeneous alerts and logs. In this technique, we track logs for backward and forward dependencies between resources. This information is then used to construct an attack state graph, which is a directed graph whose nodes represent attack states and whose directed edges represent the chronological ordering between them. Each attack state integrates information found in multiple heterogeneous alerts, logs, and OS-level operations, which relate to one stage in a multi-stage attack. In certain circumstances, the attack state graph is incrementally updated. By doing this, when an attacker continues his/her multi-stage attack after a delay, all of his/her activities are identified. The evaluation results demonstrate the effectiveness of HAL-RD for cross-correlating heterogeneous alerts and logs.