A method to identify a network attack based on a signature of malicious network traffic. An attacker at Host 0 may be able to gain access to Host 1 or Host 2 by exploiting vulnerabilities in the services sv0-sv5 to create a series of exploits or attack steps. An Attack Detector 220 applies a Traffic Filter 222 to the Network Traffic 234 to identify a subset of the traffic. The subset only includes traffic that is associated with services that are both: i) identified by data modelling relationships between vulnerabilities such as Attack Graph 230, ii) identified by IDS 232 as currently being under attack. The Signature Generator 224 creates an attack signature based upon this filtered traffic. The signature may be used by the Traffic Monitor 226 to identify the network attack and to flag it as Network Attack Identification 250.
展开▼