Attack chain detection

Joseph Sexton, Curtis Storlie, Joshua Neil

Research output: Contribution to journalArticlepeer-review

17 Scopus citations


A targeted network intrusion typically evolves through multiple phases, termed the attack chain. When appropriate data are monitored, these phases will generate multiple events across the attack chain on a compromised host. It is shown empirically that events in different parts of the attack chain are largely independent under nonattack conditions. This suggests that a powerful detector can be constructed by combining across events spanning the attack. This article describes the development of such a detector for a larger network. To construct events that span the attack chain, multiple data sources are used, and the detector combines across events observed on the same machine, across local neighborhoods of machines linked by network communications, as well as across events observed on multiple computers. A probabilistic approach for evaluating the combined events is developed, and empirical investigations support the underlying assumptions. The detection power of the approach is studied by inserting plausible attack scenarios into observed network and host data, and an application to a real-world intrusion is given.

Original languageEnglish (US)
Pages (from-to)353-363
Number of pages11
JournalStatistical Analysis and Data Mining
Issue number5-6
StatePublished - Oct 1 2015


  • Anomaly detection
  • Intrusion detection

ASJC Scopus subject areas

  • Analysis
  • Information Systems
  • Computer Science Applications


Dive into the research topics of 'Attack chain detection'. Together they form a unique fingerprint.

Cite this