Security Metric Methods for Network Multistep Attacks Using AMC and Big Data Correlation Analysis

Network security metrics allow quantitatively evaluating the overall resilience of networked systems against attacks. From this aim, security metrics are of great importance to the security-related decision-making process of enterprises. In this paper, we employ absorbing Markov chain (AMC) to estimate the network security combining with the technique of big data correlation analysis. Specifically, we construct the model of AMC using a large amount of alert data to describe the scenario of multistep attacks in the real world. In addition, we implement big data correlation analysis to generate the transition probability matrix from alert stream, which defines the probabilities of transferring from one attack action to another according to a given scenario before reaching one of some attack targets. Based on the probability reasoning, two metric algorithms are designed to estimate the attack scenario as well as the attackers, namely, the expected number of visits (ENV) and the expected success probability (ESP). The superiority is that the proposed model and algorithms assist the administrator in building new scenarios, prioritizing alerts, and ranking them.


Introduction
Network security metrics deal with how to provide quantifiable evidence to assist security practitioners in securing computer networks, which have received significant attention in recent years [1][2][3].The underlying vulnerabilities associated with services leave loopholes, thus allowing cyber intruders to exploit services and threatening the security and privacy of data [4,5].Various security schemes, such as encryption, authentication, access control, firewalls, intrusion detection system (IDS), and data leak prevention systems (DLPSs), address these security issues.However, no individual scheme fits all cases.For example, the intrusion detection system for securing network system aims to provide a layer of defense against malicious uses of computing systems by sensing attacks and alerting users.Conventional intrusion detection systems can only produce isolated alert events.However, most cyberattacks are not single attack actions nowadays.They are multistage, multihost attacks, which are composed of a series of attack actions, leading to the fact that the cybersecurity faces huge threats and challenges.For example, the notorious Zeus botnet contains five steps including probe, overflow attack, target host infection, virus propagation, and user information stealing.Due to the complexity of state transition in multistep attacks, the security metric is of great significance for the manager to comprehend the attack properties.
With the expansion of the scale of the network, the number of distributed nodes in the network keeps increasing thus resulting in massive, multisource, and heterogeneous security alert data.Big data analysis is of great benefit to organizations, business, companies, and many large scale and small-scale industries.In order to analyze complex data and to identify patterns, by correlating the logical relationship within the huge amount of alert events, the attack scenarios are extracted, multistep attacks are recognized, the possible attack paths are identified, potential attack targets are predicted, and critical threat host nodes are discovered from the alert flow.The alert correlation analysis focuses on discovering the relationships between massive raised alerts, thereby improving the performance of network protection.

Security and Communication Networks
This paper considers as input the large number of alerts generated by several IDS sensors, processes them across an alert correlation method based on the absorbing Markov chain (AMC), and extract two security metric algorithms with high precision, such as building new scenarios, prioritizing alerts and scenarios, and ranking them.
We regard the contributions of this paper to be threefold; namely, we have the following: (i) The alert correlation algorithm is proposed to deal with the real-time alert flow.It integrates the alerts according to the correlation between their IP addresses ensuring no information loss in the process of alert preprocessing and mining each independent attack scenario.
(ii) The AMC-based model is developed for attack description that enables adaptive and precise attack recognition, analysis, and prediction, which require no prior knowledge and training data set, as well as time linear complexity, correlation, and prediction of multistep attacks with precise transition probabilities.
(iii) Two novel metric algorithms are designed by using the AMC model to extract various security properties of the attack scenarios and the attackers including the estimated probability required to reach different attack target alerts, the estimated number of each alert during an attack, critical alerts, and priority of alerts.
The remainder of this paper is organized as follows: Section 2 gives an overview of some related works.Section 3 presents the working framework and schematic of our approach.Section 4 develops the model of AMC-based security metrics and gives the details of the construction of AMC by fusing real-world alert data.Section 5 shows how to unitize the AMC model to design the approaches of extracting relevant security properties.Section 6 gives the experiments, analyses, and comparisons as well as discussions.Finally, we conclude this paper in Section 7.

Related Works
The issue of security metrics has long attracted much attention.Recently, Pendleton et al. [1] designed a security metrics framework.Behi et al. [6] provided a structure for quantitation of network security and prioritization of significant security metrics.A practical method of extracting attack properties of attacker in an enterprise network is the vulnerability attack graph (VAG).The VAG represents possible ways in which a potential attacker can break into the given network by exploiting a series of vulnerabilities on various network hosts and gaining certain privileges at each step.VAG-based security metrics provide quantifiable evidences to assist security practitioners in securing computer networks, which has been a popular method.
The present works of VAG-based security, the future challenges, and open issues were overviewed in [3].Noel et al. [7] described a suite of metrics based on the model of VAG, including metrics of victimization, size, containment, and topology of the network.The probability theory is often combined with the VAG; Sheyner et al. [8] explained that the invader tends to select the easiest path to achieve the attack target.A suite of VAG-based security metrics such as the normalized mean of path lengths, median of path lengths, mode of path lengths, and standard deviation of path lengths was further aggregated by Idika et al. [9].Similarly, the method for measuring the number of paths was demonstrated by Ortalo et al. [10], and the shortest path metric was analyzed in Phillips et al. [11].Additionally, the measurement of average path length was introduced by Li et al. [12].The success probability for a multistep attack is actually an aggregate calculation over the probabilities for each individual step in the path.From the viewpoint of time and probability, Zhu et al. [13] provided several metrics, including mean time to vulnerability, local risk rate, mean risk rate, and overall risk value.One may refer to the specific literatures for detailed surveys.To improve the performance of current metrics, Sarraute et al. [14] designed a modified version of Floyd-Warshall and Dijkstra algorithm to compute the shortest attack path.Moreover, Obes et al. [15] explored the advantageous attack paths for the given network, which aims to minimize time for an attacker to reach the target states.A VAG for predicting the expected path length of compromising the security target was proposed by Kaluarachchi et al. [16], where the attack graph was developed based on the relationship of vulnerability exploits.Hu et al. [17] further unitized the common vulnerability scoring system to calculate the expected number of atomic attacks needed to compromise the attack target.While the above reports made a significant development in security metric using VAG, the major limitation is that the VAG represents all the possible ways an invader can breach a security policy according to the network architecture of the enterprise network, which is complex and large with the increase of the scale of the network.
To improve the flexibility and richness of metrics, Ghasemigol et al. [18] introduced a comprehensive approach that can predict future attacks with more precision and dynamically adapt to changes in the environment.Abraham et al. [19] analyzed that the occurrence probability of path length can change over time with respect to the age of vulnerabilities.Ghanshyam et al. [20] proposed graph distance metrics for assessing temporal changes in attack surface of dynamic networks, which can be used to identify most critical hosts in the network as per their locations.Pendleton et al. [1] made a survey focusing on the state-of-the-art existing metrics in terms of their advantages/disadvantages and they designed a security metric framework to measure systemlevel security by aggregating vulnerabilities, defense power, attack/threat severity, and situations.Patapanchala et al. [21] computed the cumulative probability that an attacker could succeed in gaining a specific privilege or carrying out an attack in the network by aggregating vulnerability metrics.Compared with the above methods, Fredj [22] developed an alert correlation graph to calculate the expected path length with improved practicality.Although many beneficial results have been achieved, they only give the calculations of expected number of steps required for the attacker to reach the attack target but not analyze which target is more   vulnerable especially for sophisticated attack scenarios with multiple targets.As stated above, although a large number of security metrics approaches were reported, majority of them focus on the path metrics under the ideal attack scenario using VAG with assumption that all exploits are of equal strength and do not take into account the relative difficulty in exploiting the vulnerabilities.We recognize that the ideal attack path is often not the actually exploited path by the attacker.Moreover, the real relationship of exploits can be extracted from the alert stream detected by distributed IDSs.Consequently, models limited to ideal attack scenarios based on the VAG are less promising, which need to be modified and properly treated.
To address this issue, we identify the attacker's target from the huge amount of alert data through correlation analysis techniques.In contrast to the VAG, the alert correlation graph established based on AMC is used to describe the attack process.The AMC includes a finite node set V that forms the alerts detected by the security sensors.Firstly, the massive alert data is fused and correlated by clustering the IP address-related alert events.Then the correlated cluster of alerts is obtained.Secondly, based on the Markov property of AMC, the one-step transition probability matrix of different attack types produced by the alerts in each cluster is extracted.Thirdly, two metric algorithms for estimating expected number of visits (ENV) to each alert node and expected success probability (ESP) of alert target node are designed based on the proposed model.Finally, we test the performance of our method on a small-scale network.Our method solves the subjective shortcoming of manual setting of transition probabilities so that we can get the objective and reliable measurements.

Framework of Security Metric
The AMC is a special Markov chain, which has been widely applied in the analysis of economics rules.The basic idea is to model the attack process as the AMC from the real alert stream of IDS, VDS, Firewall, and other security devices.
AMC ensures intuitive representation of correlated alerts.In addition, we employ AMC to implement security metrics.The workflow and schematic framework of security metric are depicted in Figure 1, which contains two steps as follows.
(i) Construction of AMC (Section 4): The absorbing Markov chain model is used to define the probabilities to transit from one attack action/type to another according to a given scenario before reaching one of some attack targets.It includes a finite node set S that forms the alerts that could be generated by the IDS sensors.
(ii) Security metrics of attack scenarios and attackers based on AMC (Section 5): Generally, an intruder performs several actions in a well-predefined order called attack scenario.We give some theorems with respect to analyses of attack behaviors using probability theory.Then we design two metric algorithms to calculate the ENV and ESP as well as to present the relevant nodes ranking.

Model of AMC
The Markov and absorption properties of the state transition in AMC are in line with the randomness and accessibility characteristics of multistep attacks, respectively.Therefore, AMC can be used to describe the cyberattacks.At present, the format of the multisource heterogeneous alert data generated by different detection devices is quite different, the quantity and the amount of the data is huge, and the alert information is redundant.First, we must integrate the security data of IDSs, firewalls, VDSs, and other network devices to understand the alert data and standardize the data format.In this way, we can get more precise and reduce security event.Then the underlying attack scenario behind the alert flow is discovered.Finally, the attack scenario is modeled as a process for actions that transforms a system from one state to another, until reaching some targets that we call attack targets.

Alert Correlation Analysis.
A key problem in mining attack scenarios directly from massive alert events is as follows.Since there may be several independent attack activities hidden in these alert events, this may cause confusions of attack scenarios if we directly associate these multisource alerts.Therefore, we must first accurately mine each independent attack activity and then separately measure the security property of each attack scenario.
From this aim, we propose an alert clustering method based on the correlation of IP address.We format the multisource alert data detected by the different sensors and give the formal definition of alert event as follows.
Definition 1. Alert event is as an 7-tuple   = (, , , , , , ), where the timestamp is the time when the sensor detects malicious features.pluginID is the number of source sensors generating the alert event.pluginSID is the classification information of the alert event in the corresponding sensor.srcIP and srcPort are the source IP address and source port of the sensor producing alerts, respectively.desIP and desPort are the destination IP address and destination port, respectively.
The attack type of the alert is determined by the pluginID and pluginSID together in Definition 1.Therefore, we use the variable type to indicate the type attribute of the alert.
In general, alert events triggered by the same attack activity are always related to each other in the address distribution.For example, in a multistep attack, the target node of the former attack step may be the source node of the latter attack step.Based on this consideration, we use the correlation property of IP address.In detail, the alert events of the same attack activities are integrated together to provide an accurate data source for the construction of the absorbing Markov chain.
The procedure of alert clustering based on IP address correlation is shown in Algorithm 1 .The cluster  1 in Figure 2 is a collection of alert sequences with IP addresses that are relevant.It is a set of alerts with the same source IP addresses or destination IP addresses in the original alert flow.ClusterSet is the collection composed of various clusters A i .The class clusters generated by the Algorithm 1 are data sources for security metrics.Compared with the existing alert clustering method, the advantage of ours is that we do not adopt the concept of "similarity distance" with a strong subjectivity [22] but integrate the alerts according to the correlation analysis between their addresses, thus reflecting the address relevance of the attack.Meanwhile, there is no information loss in the process of alert preprocessing, which provides favorable conditions for accurately mining the hidden attack scenarios under the massive alerts.

Construction of AMC.
The attack patterns of the attackers are hidden in the clusters generated by Algorithm 1.This section investigates how to mine the hidden attack scenario based on these clusters.Since absorbing Markov chain can effectively model the randomness of development of discrete events, we use it to describe the attack process.We first overview some of the terminologies associated with AMC so that the reader can understand easily.Definition 2. A Markov chain [23] is a collection of discrete random sequences denoted as  = { 1 ,  2 , . . .,   }, which contains a finite number of states.The sequence is a Markov chain if the following condition is satisfied.The formula indicates that the probability to go from a state to another only depends on the current state but is not related to the previous states.

𝑝 (𝑠
where Q is a nonzero ( − ) × ( − ) matrix denoting the transition probabilities between transient states.0 is  × ( − ) zero matrix.R is ( − ) ×  matrix denoting the probabilities of transitions from the absorbing states to transient states.I is an  ×  identity matrix denoting the transition probabilities between absorbing states.Besides, r is the number of absorbing states, − is the number of transient states, and n is the number of total states.The AMC requires that the sum of all transition probabilities of a given state must be equal to 1.
We first present our design motivation using the example scenario in Figure 3.The aim of alert correlation is to extract the one-step transition probability matrix of attack steps hidden in the alert flow.The identification of the node corresponds to the alert ID, which also represents a kind of attack type caused by alert.The node reflects the attack step taken by the attacker.The weight of the edge corresponds to the frequency of repetition of the transition from an alert to another.Given an edge (i, j), the probability (, ) is the likelihood that the alert j will be raised given that the current raised alert is i.The transition probability between states represents the conditional probability that the attacker moves from the current attack type to the next attack type.
Since our abstraction of attack scenario is developed based on the Markov property, which indicates that the next attack step is only related to the current attack step, therefore, the next step the attacker takes under the current attack step is independent of the attack path occurring before.This is also consistent with the reality.When the attacker reaches a valid state, he begins to consider what to do next based on the current state.In other words, only the current state will affect the attacker's decision and the history states will not affect it.
The AMC in Figure 3 can also be expressed using a transition probability matrix as follows.The element in the matrix indicates the transition probability from the corresponding row's attack type to the corresponding column's attack type.We use AMC to describe the attack process.
where size is the number of 's row or column where sum is the summation of row i We analyze each class cluster of alerts produced by Algorithm 1 and mine the hidden the corresponding one-step transition probability matrix using Algorithm 2.
In the process of traversing each alert in the class cluster by Algorithm 2, if a new attack type is detected, a new row and column are added for the attack type in the transition probability matrix P, as shown in lines (9)- (12).This ensures that all types of attack are included in P shown in lines (1)- (15) The concept of proximity is used when mining associations between attack types.If the alert   and alert  +1 appear in turn, the appearance of attack type  +1 ⋅ is only related to   ⋅  according to the Markov property.Then we add 1 to the count of   ⋅  to  +1 ⋅ , which is the   + + in line (6) of Algorithm 2. For instance, if we consider the weight of edge <   1,   2 > is 2 this means that the intruder has caused the generation of the alert with Attack Type 1 and then another with Attack Type 2 two times.
We normalize the transition probability matrix obtained after abstraction to meet the requirements of the Markov chain model.According to Definition 1, the sum of all transition probabilities of a given state must be equal to 1.It is reflected that the sum of every row of the matrix P must be equal to 1. Thus, we convert the frequency of transitions between attack types into transition probabilities in lines (16)- (21).In other words, we assign the weight of the edge based on the number of frequencies of the transition from an alert to another.For each row of P, we divide each element of the row by the sum of the rows to obtain the corresponding probability distribution in line (19).Since each cluster is independent, therefore Algorithm 2 is able to use real-time parallel processing technology to deal with each class cluster as well as the collection of transition probability matrix.This is particularly important in the current big data and cloudcomputing environment.

AMC-Based Security Metrics
In this section, some lemmas and theorems for extracting properties of attackers towards multistep attacks are given.In addition, two algorithms are designed to measure the security property from the attacker's perspective.explore the matrix of calculating the expected node visits number ENV for middle host of attack path.Then the metric algorithm of ENV is given.Finally, a calculating example is provided.Lemma 6.Given a state transition matrix P of AMC satisfying Definition 5, let   , be the probability from state i to state j through t steps of attack.We can obtain the state transition matrix  () after t step attacks as follows.
Proof.Use the mathematical induction to analyze the following: (1) When  = 2, the Lemma 6 holds as follows: (2) Suppose when  =  − 1, Lemma 6 also holds and thus ], then we can obtain the following formula and thereby the supposition holds: To conclude, we can obtain that Lemma 6 is met by (1) and (2).Lemma 7. The attacker starts attacking from the source node and keeps on launching attacks until it reaches the ultimate destination node, and thereby the transition probabilities between transient states are 0. Mathematically, lim →∞  () = 0.
Proof.Assume that   = V ∈ (0, 1),    denotes the probability of  →  in exactly t steps.Then we can obtain lim Hence, the probability of the attacker remaining in the transient state is 0. Lemma 7 holds.Theorem 8. Given ( − ) × ( − ) fundamental matrix N, in which   gives the expected number of visits that the process is in the transient state j if it is started in the initial state i, then we have  = (1 − ) −1 .
ENV gives the expected number of each alert of the current scenario depending on the initial alerts raised by the intruder.Based on the ENVs of total alerts, we can obtain the ranking of alerts to arrange the patching preference of related vulnerabilities.The specification of ENV metric is shown in Algorithm 3.
We first use Algorithm 1 to separate different attack scenarios from the original alert stream and obtain the clusters of different scenarios, as shown in line (1).Then Algorithm 2 is employed to construct the AMC of each scenario.Afterwards, we use the result of Theorem 8 to calculate the ENVs of different nodes in each scenario, as shown in lines (2)-( 6).Finally, the threat ranking of the hosts corresponding to the alert nodes is given in lines (7)- (9).
To demonstrate Algorithm 3 clearly, we use Figure 3 as an example.Suppose we have obtained the corresponding transition probability matrix P. Additionally, combined with Definition 2, we can construct matrix Q and further calculate the fundamental matrix N as follows.
In practical application, if the initial alert raised by the intruder is   1, from the first row vector of N, we can obtain that the ENVs of   1,   2, and   3 are  11 = 1.25,  12 = 0.875, and  12 = 0.525, respectively.Herein, the priority of hosts related to the three alerts is   1 >   2 >   3, and the alert leading to   1 is more critical.

Metric of ESP
By Theorem 8, we can obtain ∑ ∞ =0   = .Hence, we can derive  =  ⋅ , and the theorem holds.
Similar to the metric of ENV, we first get the clusters of different attack scenarios from the original alert stream.Then we extract the AMC from each cluster.Combining with the results of Theorem 9, we get the threat ranking of destination alert nodes corresponding to the target hosts.The details are shown in Algorithm 4.
Go on with the analysis of Figure 3 Take the first row of B as an example; the value  11 gives the estimated probability of reaching the attack target   4 if the invader has just raised the   1.Since  11 >  12 , the most likely attack target is   4 and we rank the targets as   4 >   5, and alert leading to   4 is the critical node.Moreover, since 0.6125 + 0.3875 = 1, we can identify that the attacker will finally reach the absorbing state.

Algorithm Performance Analysis.
The operations of the above algorithms include matrix inversion, matrix addition, and matrix multiplication.The computation complexity of matrix multiplication is the highest.Multiplication of two  ×  matrices requires 2 3 basic operations and thereby the computation complexity is ( 3 ).Our algorithm needs to save several matrices P, Q, N, R. Therefore, the storage complexity is ( 2 ).Overall, the proposed algorithm is time linear.

Experiments and Discussions
In this section, we test the proposed model and algorithms on a small-scale experiment network.We first describe the experiment setup.Then the experiment results are demonstrated.Experiment analyses as well as some comparisons and discussions are given finally.
6.1.Experiment Environment 6.1.1.Network Topology.Given a real network as depicted in Figure 4 to perform our approaches, the network is composed of the firewalls, routers, Snort IDSs, a web server, a database server, a graphic workstation, and an external host for launching attack.

Network Configuration.
The firewall policies are organized in Table 1.The network is divided into 2 subnets.The servers H1, H2 are deployed in the DMZ zone, and the workstation H3 and servers H4, H5 are deployed in the trusted zone.The remote host H0 is forbidden to access with servers in the trusted zone by firewalls and can only communicate with H1, H2 in the DMZ zone via HTTP protocol (port 80).Servers in the trusted zone can only communicate with the servers in the DMZ zone passively.After scanning the network using tool Nessus [24], we collect the vulnerabilities in the network.By querying the database of NVD, we obtain the detailed host configuration and vulnerability information as shown in Table 2.

Experiment Analyses.
In order to collect real-world attack alert data, the attacker carries out the UDP FLOOD attack and SYN FLOOD attack.We collect the alert data detected by the running IDS, the firewall, and syslog of servers for experiment analyses.

Construction of AMC.
After using Algorithm 1 to fuse the original alerts, we get two class clusters  1 and  2 .Taking cluster  1 of UDF FLOOD scenario as an example, we further use Algorithm 2 to mine the one-step transition probability matrix.The attack type represented by each row and column of the matrix is numbered according to the occurrence order of its corresponding alert event.The description of each attack type corresponding to the detected alert raised by the intruder is organized in Table 3.The Graphviz toolkit [25] is used to draw the absorbing Markov chain of the attack scenario extracted from  1 as shown in Figure 5.The yellow node denotes the remote attacker in the Internet.Two green nodes are the target states of the attacker.Other nodes represent the attack types of attack events derived from the alert analysis.According to the alerts raised by the Allowing remote attackers to execute arbitrary programs via a sequence in a search action intruder, we can obtain the attack steps that the intruder has taken.

Metric of ENV.
In this section, we conduct Algorithm 3 to calculate ENV for the realistic attack scenario.The state transition matrix P of Figure 5 is constructed firstly, and then we calculate the matrix N.
The different rows of N indicate the ENVs of attacker starting from different initial states.The distribution of ENV is illustrated in Figure 6.The bigger value indicates the higher critical level of the vulnerability related to the node.For example, from the first row of N, if the attacker has just raised the alert node  1 , then the ENVs to middle nodes  2 ,  3 ,  4 ,  5 are 0.39, 0.71, 0.19, and 0.47, respectively.The corresponding ].For a given attack target, the larger   is, the higher the probability will reach it.Suppose the manager observed that the intruder had just raised the alert  1 , then from the first row of B, we can obtain the fact that the ESPs of attacker raising  6 and  7 are 0.5035 and 0.4965, respectively.Therefore, the invader is more likely to breach the host H4 associated with  6 .The distribution of ESP is illustrated in Figure 7.The abscissa is the source alert of attacker and the ordinate is the ESP of achieving the target alert.When the source alerts (first observed alerts) are  1 ,  2 ,  3 ,  4 , and  5 , which indicates that regardless of the source alerts we can predict that the most likely target alert is  6 (Graphic workstation H4) since it can bring more loss to the network system by causing DOS stream.

Comparisons and Discussions.
In order to compare the metrics of the realistic scenario using alerts as input with that of the ideal scenario using vulnerability exploits as input, we further summarize the detailed qualitative analyses in Table 4.Our major merits are shown in Table 4.
The VAG-based security metrics utilize vulnerability attack graph to represent all the possible ways an intruder can compromise a security policy through vulnerability exploitation.The VGA can be constructed by using network connectivity information and known vulnerabilities within the architecture of the network.It reveals all the ways an attacker can leverage vulnerabilities in a given network to violate a security policy.Since all attack paths are included, the VAG describes a more general and loose scenario.We refer the metrics within the ideal attack scenario as the ideal metrics.Most existing studies focused on ideal scenario since it includes all possible scenarios for attackers.For instance, [8,11,14,20] analyzed the shortest path length, which assumes  that each atomic attack can succeed immediately.Meanwhile, the number of ideal paths was calculated in [9][10][11]20], which is established based on the hypothesis that each node appears exactly once in the attack path.The most probable path is identified by calculating the cumulative success probability of each attack path in [9-11, 18, 20], where the cumulative probability is obtained by calculating the product of the probabilities of the substeps of attack.The ideal probability that an attacker could achieve the target is the sum of the cumulative probabilities of all ideal paths [9,10,14,18,20].We take Figure 5 as an example; if the source alert is a 1 , the cumulative probabilities of reaching  6 and  7 are 0.19 and 0.38, respectively.It is interesting that the sum of 0.19 and 0.38 is 0.57 but not 1.In general, the attacker starts attacking from the source alert and keeps on launching permeation until he reaches the ultimate target node.Therefore, the cumulative probability is an ideal result without considering the failed actions of attack.Moreover, as the size and scale of the network increase, the number of nodes and edges in the VAG  increases dramatically, thus making the metrics complicated and difficult to implement.
Although the above ideal security metrics can only properly reflect the security strength of the network in a certain extent, we recognize that the ideal attack scenario may not be the real scenario launched by the attackers.From this aim, we collect the incoming alert flow to extract the alert correlation graph by using alert correlation analysis technique.Compared with the VAG, we model the real-world attack scenario as the absorbing Markov chain, thus improving the authenticity of measurement.Meanwhile, the scale of the generated graph is significantly reduced and it is beneficial to improve the efficiency and accuracy of metrics.For example, if the source alert is a 1 , the expected success probability of a 6 is 0.29, which is larger than the ideal success probability 0.19.This is due to the fact that we pick up the missed failed attack actions in ideal scenario.Since the ESP of a 7 is larger, we can identify that the target alert is a 7 .The ENV of a 2 is 0.39, which indicates that an average of 0.29 times of alerts with attack type "TELENT Bad login" will be aroused if the intruder has just aroused alert a 1 .The ENV of a 3 is the largest, so the vulnerability leading to alert a 3 with attack type "RPC sadmind UDP PING" is the most critical and thus suggested to be patched first.Although [17] also gives a measurement of the average numbers of visits to the middle hosts of attack path, the estimate of transition probability is deduced based on the common vulnerability scoring system and therefore still depends on the expert experience.Moreover, existing researches focus on analyzing attackers with just one attack target.How to deal with the sophisticated scenarios including multiple attack targets has not been taken into consideration yet.In contrast to [17], the probabilities of state transitions are calculated from the real-time alert data set automatically in our method and do not require any prior knowledge.Besides, we can analyze the scenarios with multiple targets.Hence, our measurement results are more objective and practical.
In summary, the AMC model extracting from the realtime alert data is more closely related to the actual scenario of attack, and therefore the metrics obtained are more accurate and effective.The proposed model and metric algorithms provide quantitative and efficient data support for network proactive defense and will assist in making appropriate security decisions in advance.

Conclusions and Future Works
Current enterprise networks typically have multiple entry points.This topology is intended to enhance a network's accessibility and availability, but it leaves security vulnerabilities that sophisticated attackers can exploit using advanced techniques, such as multistep attacks.Quantifying security with metrics is important since we want to have a scoring system to estimate the strength of the security.From this aim, we present an absorbing Markov model for extracting several attack properties with higher precision based on correlation analysis of alert data.Using the model of absorbing Markov chain, we can extract various properties of the attack scenarios as well as the attackers, such as the estimated probability of reaching each attack target and the estimated occurrence number of each alert in the attack scenario.The experiments verify that our approaches are available, reliable, and comprehensive.For future work, we plan to extend the model by combining other predictive techniques to design a suit of more comprehensive, integrated approaches to the metrics of security.

Figure 1 :
Figure 1: The main steps of the security metric framework.

Input: 1 ClusterSet A 2 ClusterSet A 3 matrix P 1 matrix P 2 matrix P 3 Figure 2 :
Figure 2: Alerts clustering based on the correlation of IP addresses.

Figure 3 :
Figure 3: The absorbing Markov chain representation of the attack scenario by alert correlation.

Algorithm 2 :
Pseudocode for mining the transition probability matrix from alerts.in the matrix represents the conditional probability ( | ) from the present attack type i to the future attack type j.The semantics of transition probability in the perspective of alert correlation is the probability of attacker from the current attack step i to the next attack step j.

Figure 6 :
Figure 6: ENV distribution of attacker arising with different middle alert nodes from different source alert nodes.

Figure 7 :
Figure 7: ESP distribution of attacker arising with different target alert nodes from different source alert nodes. ) Definition 4. A transient state is the intermediate state of the attacker.The transient state node b has at least one out-going edge.Formally, { ∈  | ∃ ∈ }.Definition 5.An absorbing Markov chain [23] is a special Markov chain containing at least one absorbing state.The associated state transition matrix P has the following canonical form.

Table 2 :
Host configuration and vulnerability information.

Table 3 :
The descriptions of alerts and their attack types in cluster A 1 .Figure 5: The AMC model extracted from the real alert flow.threatranking is  3 >  2 >  5 >  4 .Thus, the security manager can employ this priority to determine which alert relevant vulnerability needs to be patched first.Herein, the first vulnerability suggested to be patched is the CVE 2014-1878 leading to  3 .

Table 4 :
Comparisons of security metrics among our method and others.