Clustering of multistage cyber attacks using significant services

Multistage cyber attacks may target services of different types, often indicating their behavior or capability of penetrating into the network. A significant enhancement to network defenses will be to recognize the different classes of multistage attacks, allowing timely and effective anticipation of future attacks. Drawing analogies from social networking analysis, this work proposes a methodology that clusters cyber attacks based on the 'significant services' being exploited. From transforming the attacked services to utilizing the Divisive Hierarchical Clustering algorithm, the proposed method is able to identify sub-communities of attacks that share common characteristics. Experiment results demonstrate a high modularity for the identified community structure. Novel discoveries are also made possible by examining the attack clusters and the resulting dendrogram.