ABSTRACT

for preempting multi-stage attacks in cloud infrastructure. We discuss methods for: i) learning parameters of multi-variate factor functions that capture relations among the events representing behavior of both a user and an attacker, and ii) construction of factor graphs to reason about an attack state with the purpose of preemptively detecting malicious activities. Our work is driven by real attacks reported in the wild.

In the context of this analysis, we focus on multi-stage attacks that can be represented by five distinct stages: initial compromise, host hopping, escalation of privilege, maintaining presence, and delivery of payloads. User and attacker activities are represented by events, which are derived from the log files collected at runtime by security monitoring tools, such as intrusion detection systems, network flows, and system logs.