we are going to detect/predict multi-stage attack based on intrusion alerts, the dataset used is DARPA 2000 (MIT Lincoln Laboratory, 2000).
This dataset consists of two simulated multistage attack scenarios, LLDDOS1.0 and LLDOS2.0 of Distributed Denial of Services (DDoS) network attack, in two different networks [the Demilitarized Zone (DMZ) and Inside Networks].
The LLODS1.0 scenario can be divided into five phases as follows.
Phase 1: The attacker scans the network to determine which hosts are “up”.
Phase 2: The attacker then uses the “ping” option of the sadmind exploit program to determine which of the hosts selected in Phase 1 are running the Sadmind service.
Phase 3: The attacker attempts the sadmind Remote-to-Root exploit several times in order to compromise the vulnerable machines.
Phase 4: The attacker uses telnet and rpc to install a DDoS program in the compromised machines.
Phase 5: The attacker telnets to the DDoS master machine and launches the mstream DDOS against the final victim of the attack.
a deep learning method that can self-learn features that are necessary in the accurate detection and classification of multistage attack scenarios.
The dataset attached.