SoK: Harmonizing Attack Graphs and Intrusion Detection Systems

TL;DR

This paper presents the first systematic analysis of AG-IDS integration, reviewing a 73 comprehensive works in literature and proposes a formal AG-IDS lifecycle, which establishes a continuous feedback loop where IDSs refine the accuracy of AG models, and those updated models, in turn, enhance IDS detection capabilities.

Abstract

Detecting and responding to cyber attacks is increasingly difficult as high-volume, complex network traffic allows threats to remain concealed. While Intrusion Detection Systems (IDSs) identify anomalous behavior, Attack Graphs (AGs) serve as the primary threat model for analyzing attacker strategies and informing any response. Despite the conceptual connection being recognized in early research, the field of AG and IDS integration lacks a common structure. This paper presents the first systematic analysis of AG-IDS integration, reviewing a 73 comprehensive works in literature. We introduce a novel taxonomy revealing that current research is dominated by specialized, single-purpose integrations, such as using AGs to filter IDS false positives or using IDS alerts to prune AGs. Our analysis highlights a critical gap: the absence of a unifying framework that treats IDSs and AGs as a cohesive, integrated system. To address this gap, we propose a formal AG-IDS lifecycle. This framework establishes a continuous feedback loop where IDSs refine the accuracy of AG models, and those updated models, in turn, enhance IDS detection capabilities. We provide a proof-of-concept implementation demonstrating the practical advantages of this lifecycle for threat detection and incident response. Finally, we conclude by elaborating on significant opportunities for future development within the AG-IDS domain.

Figures (19)

• Figure 1: Distribution of papers across the three taxonomy categories of - integration.
• Figure 2: Statistical analysis of the -based generation literature. Alert Corr. = Alert Correlation, Vuln. An. = Vulnerability Analysis, Resp. = Response, Det. Ref. = Detection Refinement, IDS Optim. = IDS Optimization, Run. Det. = Runtime Detection, Sig. not ML = Signature not ML, An+ML = Anomaly and ML, Ag = Agnostic, $\ast$ = Signature and ML, An = Anomaly not ML, NI = Network, HI = Host, HB = Host-based, SB = State-based, VB = Vulnerability-based, AB = Attack scenario-based, DDoS = DDoS, $\rtimes$ = Multi-step attacks, $\dagger$ = Remote Code Execution, DoS = DoS, $\ddagger$ = U2R, $\unrhd$ = R2L, K = Key Loggers, $\bullet$ = OS scan, $\circ$ = Probing, $\diamond$ = Port scan, $\clubsuit$ = SSH Brute Force, DARPA = DARPA2000, Sim = Simulation, $\spadesuit$ = Defcon CTF'17, $\heartsuit$ = CSE-CIC-IDS-2018, $\bowtie$ = ISCXIDS2012, $\bigstar$ = NLS-KDD, $\triangle$ = CTU-13, $\blacktriangle$ = CICIoT2023, $\triangledown$ = CPTC-2018, Custom = Custom, $\pitchfork$ = DARPA-CT-2019, $\Vdash$ = StreamSpot, $\gtrdot$ = 4SICS-2015, $\unlhd$ = CCDC-2018, U = Unspecified, $\triangleleft$ = Cloud computing, CPS = Cyber-Physical Systems, SG = Smart Grids, $\triangleright$ = Internet of Things, $\natural$ = AMI System, $\flat$ = Software Defined Networking, C = Smart Cities, $\sharp$ = Enterprise network system, $\blacksquare$ = Smart home system, ICS = Industrial Control Systems, $\amalg$ = SOCs, E = Edge computing, None = None, NN = Neural Network, B = Bayesian Network, MC = Markov Chain, AI = Artificial Immune System, DT = Decision Tree, SV = Support Vector Machine, PA = Probabilistic Automaton.
• Figure 3: Statistical analysis of the -integrated literature. Refer to \ref{['fig:ag_generation_stats']} for the legend.
• Figure 4: Statistical analysis of the -based Refinement literature. Refer to \ref{['fig:ag_generation_stats']} for the legend.
• Figure 5: - lifecycle envisioned in this SoK. Legend: IDS $-$ Intrusion Detection System; NIDS $\-$ Network Intrusion Detection System; HIDS $\-$ Host Intrusion Detection System; AG $\-$ Attack Graph; $AG|IDS -$ IDS-based AG Generation; $IDS[AG] -$ AG-integrated IDS; $IDS \rightarrow AG$ AG-based IDS Refinement.