Robust Attack Graph Generation
This work addresses the challenge of modeling infrequent behavior in software systems, such as attacker actions from noisy intrusion data, but it appears incremental as it builds on existing automaton learning methods.
The paper tackles the problem of learning automaton models robust to input modifications, such as noise from added or removed symbols, by iteratively aligning sequences to a learned model and re-learning it. The result is more concise models that better fit training data, as demonstrated in experiments with the SAGE tool for intrusion alerts.
We present a method to learn automaton models that are more robust to input modifications. It iteratively aligns sequences to a learned model, modifies the sequences to their aligned versions, and re-learns the model. Automaton learning algorithms are typically very good at modeling the frequent behavior of a software system. Our solution can be used to also learn the behavior present in infrequent sequences, as these will be aligned to the frequent ones represented by the model. We apply our method to the SAGE tool for modeling attacker behavior from intrusion alerts. In experiments, we demonstrate that our algorithm learns models that can handle noise such as added and removed symbols from sequences. Furthermore, it learns more concise models that fit better to the training data.