IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 19, NO.

2, MARCH/APRIL 2022 731

Alert-Driven Attack Graph Generation

Using S-PDFA
Azqa Nadeem , Sicco Verwer , Stephen Moskal, and Shanchieh Jay Yang, Senior Member, IEEE

Abstract—Ideal cyber threat intelligence (CTI) includes insights into attacker strategies that are specific to a network under observation.
Such CTI currently requires extensive expert input for obtaining, assessing, and correlating system vulnerabilities into a graphical
representation, often referred to as an attack graph (AG). Instead of deriving AGs based on system vulnerabilities, this work advocates the
direct use of intrusion alerts. We propose SAGE, an explainable sequence learning pipeline that automatically constructs AGs from intrusion
alerts without a priori expert knowledge. SAGE exploits the temporal and probabilistic dependence between alerts in a suffix-based
probabilistic deterministic finite automaton (S-PDFA) — a model that brings infrequent severe alerts into the spotlight and summarizes paths
leading to them. Attack graphs are extracted from the model on a per-victim, per-objective basis. SAGE is thoroughly evaluated on three
open-source intrusion alert datasets collected through security testing competitions in order to analyze distributed multi-stage attacks.
SAGE compresses over 330k alerts into 93 AGs that show how specific attacks transpired. The AGs are succinct, interpretable, and provide
directly relevant insights into strategic differences and fingerprintable paths. They even show that attackers tend to follow shorter paths after
they have discovered a longer one in 84.5% of the cases.

Index Terms—Alert-driven attack graphs, explainable machine learning, suffix automaton model, attacker strategy, intrusion alerts

1 INTRODUCTION (TVA) [11] that requires extensive amount of expert knowl-

edge and published vulnerability reports [12], [13]. As such,
LERT investigation is one of the main responsibilities
A of security operations centers (SOC); and it is largely
used for reactive defense capabilities. However, alert
expert-driven AG generation is time-consuming; and it is
ineffective to constantly rely on vulnerability scanning – the
delayed nature of vulnerability reporting leaves blind-spots
management can also be used to derive proactive cyber
in an organization’s security [14]. Additionally, shared threat
threat intelligence (CTI), e.g., by deducing attacker strate-
intelligence reports are often not directly relevant to one’s
gies specific to a network under observation. The biggest
own network [15]. To the best of our knowledge, it is still an
hurdle to this aim is the large volume of alerts that SOCs
open problem to construct attack graphs that provide directly
receive on a daily basis: alert fatigue is one of the most
relevant intelligence regarding attacker strategies without
prevalent problems faced by analysts working in SOC
expert input.
environments [1]. A survey conducted during the RSA
In this paper, we formally define our proposed system,
conference in 2018 revealed that security analysts receive
SAGE (IntruSion alert-driven Attack Graph Extractor) [16].
more than a million alerts each day, many of which they
SAGE generates AGs directly from intrusion alerts without
cannot even address the same day [2]. Alert correlation
a priori vulnerability and network topology information. It
reduces the volume of alerts by grouping alerts from the
adopts an explainable sequence learning pipeline to exploit
same attack stage [3], [4], [5]. However, it does not pro-
the temporal and probabilistic dependence present between
vide a bigger picture of the attack, and the subsequent
intrusion alerts. SAGE can directly augment existing intru-
analysis to obtain actionable insights into attacker strate-
sion detection systems (IDS) for triaging large volumes of
gies is still manual and labor-intensive.
alerts to produce only a handful of AGs. These alert-driven
Attacker strategies are often represented via attack graphs
AGs unlock a new means to derive intelligence regarding
(AG), which are commonly used for visual analytics [6], [7],
attacker strategies without having to investigate thousands
[8] and forensic analysis [9], [10]. Existing AG generation
of intrusion alerts. Fig. 1 shows the boxology diagram for
approaches fall under the Topological Vulnerability Analysis
SAGE, according to the modular design patterns by van
Bekkum et al. [17].

Azqa Nadeem and Sicco Verwer are with the Department of Intelligent A particular challenge for machine learning-enabled
Systems, Delft University of Technology, 2628 XE Delft, The Netherlands. attacker strategy identification is the scarcity of severe alerts
E-mail: {azqa.nadeem, s.e.verwer}@tudelft.nl. — the majority of alerts are associated to network scans,

Stephen Moskal and Shanchieh Jay Yang are with the Department of
Computer Engineering, Rochester Institute of Technology, Rochester, NY which are not interesting for an analyst due to their wide-
14623 USA. E-mail: {sfm5015, Jay.Yang}@rit.edu. spread use [18]. Therefore, frequency analysis methods like
Manuscript received 1 Dec. 2020; revised 30 July 2021; accepted 24 Sept. 2021. frequent pattern mining and longest common subsequence are
Date of publication 4 Oct. 2021; date of current version 14 Mar. 2022. inherently unsuitable, since they discard infrequent behav-
This effort was partially supported by United States NSF under Grant ior. Instead, we learn an interpretable suffix-based probabi-
1742789 and RIT Global Cybersecurity Institute.
(Corresponding author: Azqa Nadeem.) listic deterministic finite automaton (S-PDFA) using the
Digital Object Identifier no. 10.1109/TDSC.2021.3117348 FlexFringe automaton learning framework [19]. We tune the
1545-5971 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See ht_tps://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
732 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 19, NO. 2, MARCH/APRIL 2022
Fig. 1. SAGE takes intrusion alerts as input and generates attack graphs. Intrusion alerts are transformed into episode sequences (Section 4.1). An
interpretable S-PDFA model is learned from those sequences (Section 4.2). The sequences are replayed through the S-PDFA and transformed into
targeted attack graphs (Section 4.3).
learning algorithm and transform the alert data such that the
resulting model accentuates infrequent severe alerts, with-
out discarding any low-severity alerts. The model summa-
rizes attack paths leading to severe attack stages. It can
distinguish between alerts with the same signature but dif-
ferent contexts, i.e., scanning at the start and scanning mid-
way through an attack are treated differently, since the
former indicates reconnaissance and the latter indicates
attack progression. Targeted attack graphs are extracted
from the S-PDFA on a per-victim, per-objective basis.
We demonstrate SAGE’s effectiveness on distributed
multi-stage attack scenarios, i.e., where multiple attackers
collaborate to compromise various targets progressing
through numerous attack stages. Discovering attacker strate-
gies in this setting is inherently difficult because host infor-
mation cannot be used to aggregate alerts from different
collaborating attacker(s). Security testing competitions pro-
vide an ideal setting to study such attacks in a controlled set-
ting. To this end, we use three open-source datasets collected
through penetration testing competitions [20] and blue team
exercises [21] that have significantly different statistical
properties and target infrastructures.
On one of the datasets, SAGE compresses over 330k
alerts into 93 AGs in under a minute. Even with an imper-
fect IDS, the AGs capture the strategies used by the partici-
pating teams. They reveal that 84.5% of the time, attackers
follow a shorter path to re-exploit an objective, after they
have already discovered a longer path. Moreover, the AGs
provide the visual means to compare attacker strategies. We
show how to use this comparison to find fingerprintable
paths and to rank various attackers based on the severity of
their actions. Finally, SAGE is agnostic to the specific inner
workings of an IDS, and can process any alert dataset as
long as it contains IP addresses, port-numbers, and a
description of the observed attack event. Our main contri-
butions are:
1) We propose suffix-based probabilistic deterministic
finite automaton (S-PDFA), an interpretable sequence
model that focuses on infrequent severe alerts without
Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
discarding any low-severity alerts. The model summa-
rizes attack paths in the dataset.
2) We provide formal definitions for SAGE’s compo-
nents, including a thorough explainability analysis
of SAGE and the alert-driven AGs it generates.
3) We utilize three security testing competition datasets
to extensively evaluate SAGE. We show it is general-
izable and the AGs provide actionable intelligence
regarding attacker strategies, strategic differences,
and fingerprintable paths.
Section 2 describes two practical use-cases for SAGE. We
provide a brief overview of the related works in Section 3.
The architecture of SAGE, along with its explainability
aspect is illustrated in Section 4. Sections 5 and 6 describe
the experimental setup and a thorough analysis of alert-
driven attack graphs. We discuss the limitations of SAGE in
Section 7 and conclude in Section 8.
2 USE-CASES FOR SAGE
SAGE uses intrusion alerts to generate attack graphs (AG)
that succinctly display all the paths that reach a given objec-
tive, making it an interpretable visual analytics tool. Below,
we highlight use-cases for two types of users.
SOC Analysts. The primary use-case explored in this
paper is about enabling SOC analysts extract threat intelli-
gence about attacker strategies from previously observed
malicious activities. As such, SAGE augments existing
SIEMs and IDSs by triaging the attack scenarios of interest,
e.g., for specific assets in a network. The selected alert-driven
AGs can be analyzed and attacker strategies can be derived
for corroborating specific evidences. Sections 6.1.1 and 6.1.2
discuss concrete examples of interpreting and comparing
attacker strategies. The occurrence of certain paths in an AG
can serve as fingerprints (see Section 6.1.3). Additionally,
attacker hosts can be ranked based on the severity of alerts
they raise (see Section 6.1.4).
Red Teams. As an adversarial use-case, SAGE can act as a
monitoring intermediary during red team training. After a
training session, the teams review alert-driven AGs for
NADEEM ET AL.: ALERT-DRIVEN ATTACK GRAPH GENERATION USING S-PDFA
gaining intelligence, such as (i) identifying the shortest path to
an objective that was discovered by a team member, or (ii)
showing redundant paths, for instance, due by lack of com-
munication between the team members. Enumerating all
paths toward an objective can help the teams develop creative
strategies (example in Section 6.3). Teams can use such feed-
back to further improve their performance.
3 RELATED WORK
Cyber Threat Intelligence. CTI refers to evidence-based situa-
tional awareness, which typically involves insights into the
tactics, techniques, and strategies employed by cyber adver-
saries [22]. Intrusion detection systems (IDS) generate thou-
sands of alerts on a daily-basis. Alert triaging techniques
have been proposed to model attack scenarios, such as alert
correlation [3], [4], [5], [23], [24], [25], [26], [27] and alert pri-
oritization [28], [29]. Alert correlation groups alerts from the
same attack stage, while alert prioritization highlights and
summarizes alerts for speeding up the response time.
Although these methods drastically reduce alert volume,
they do not provide a bigger picture of the specific strategies
employed by the attackers.
Attack Graph Generation. SOC analysts rely on labor-
intensive processes for obtaining intelligence regarding
attacker strategies. Attack graphs (AG) provide a concise
way of displaying these strategies [8], [14]. Specifically in
the network security domain, Kaynar et al. [30] have
proposed a taxonomy of the existing AG generation
approaches. Many of them fall under the topological vul-
nerability analysis (TVA) [11], which relies heavily on a
priori knowledge about the topology of, and vulnerabil-
ities in a network, making them unsuitable for zero-day
attacks. MulVAL [12] and NetSPA [13] are popular tools in
this category. Next to this, there are many approaches to
improve pre-existing AGs, e.g., works focusing on AG
completeness [31], [32], AG complexity reduction [33],
[34], and what-if analyses [6], [7].
Learning From Observables. Cyber data from prior security
incidents can be utilized to gain insights into attacker
behavior, e.g., using log data [35], [36], [37], sensor
data [38], and network traffic [39]. Process mining and Mar-
kov models are particularly well-suited for sequential learn-
ing problems. Process mining (PM) has been used to
provide a visual summary of the intrusion alert datasets [40],
[41]. While great for modeling concurrent events, PM mod-
els are dense and cannot be used to model context: they use
alert signatures as identifiers, which makes it impossible to
distinguish between alerts with different contexts but iden-
tical signatures. Markov models, however, have no such
limitation. Moskal et al. [42] use suffix-based Markov chains
to represent attacker strategies as sequences of hyper-alerts.
They measure attack sequence similarity using Jensen-Shan-
non divergence. In this paper, we propose SAGE, which is a
purely alert-driven approach for generating attack graphs.
We borrow initial ideas from Moskal et al. [42]. We leverage
the temporal and probabilistic dependence between alerts
to generate targeted attack graphs without a priori expert
knowledge. The probabilistic deterministic finite automaton
(S-PDFA) that we use has more expressive power than Mar-
kov chains, while being easier to interpret.
Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
733
Explainability. SAGE provides an explainable and auto-
mated alternative to the manual process of finding attacker
strategies. It is important to note that while explainability is
widely considered for classification decisions, SAGE is not a
classifier, and the explainability lies in the attack graphs
instead. Because the explainability aspect of SAGE is an
important design consideration, we do not consider inher-
ently black-box models, such as neural networks [43]. While
attention mechanisms [44] and linear proxy models [45] help
explain the decisions of such black-box models, they offer
post-hoc interpretability on a per-input basis. Instead, SAGE
relies on the interpretable nature of its entire pipeline. As
opposed to black-box models that often make use of random-
ization and soft decision boundaries to avoid local minima
and over-fitting, SAGE relies on statistical tests, making
every step in its pipeline discrete and deterministic . In addi-
tion to model interpretability , this provides design- and algo-
rithmic transparency . We make conscious design decisions to
enhance the interpretability of the S-PDFA, and the way the
attack graphs are constructed makes them explainable.
These notions are described by Roscher et al. [46], who list
the three components of explainable machine learning as:
transparency , interpretability , and explainability . In short,
interpretability is about the model, while explainability is
about the output of a learning pipeline. Model interpretability
allows a user to: 1) examine (visualize) a learned model, 2)
reason about the discovered patterns, 3) draw inferences,
and 4) combine it with subsequent analysis methods. A
model is design transparent if design decisions can be moti-
vated from the application domain, and it is algorithmically
transparent if it allows a user to reverse the learning pipeline
to obtain the input data that led to modeling decisions. We
show examples of all of these in Sections 4.4 and 6.1.
4 SAGE: INTRUSION ALERT-DRIVEN ATTACK
GRAPH EXTRACTOR
SAGE (IntruSion alert-driven Attack Graph Extractor) is a
purely alert-driven approach for attack graph generation.
SAGE has 3 core components, as shown in Fig. 1. It takes raw
intrusion alerts as input, aggregates them into sequences of
attacker actions. An automaton model is learned using these
sequences, summarizing attacker strategies. Finally, attack
graphs are extracted from the model on a per-victim, per-
objective basis. SAGE is released as open-source1. It is imple-
mented in Python and released in a docker container for
cross-platform support.
In this section, we use the Collegiate Penetration Testing
Competition dataset from 2018 [47], i.e., CPTC-2018, as a
running example. CPTC-2018 contains intrusion alerts gen-
erated by six teams (T1, T2, T5, T7, T8, T9) attempting to
compromise the infrastructure of a fictitious automotive
company (See Section 5 for details). Table 1 shows how the
volume of alerts is reduced by each component of SAGE.
4.1 From Intrusion Alerts to Episode Sequences
As a first step, we arrange intrusion alerts in sequences that
characterize an attacker strategy. Raw intrusion alerts are
noisy and often multiple alerts are triggered by a single
1. https://github.com/tudelft-cda-lab/SAGE
734 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 19, NO. 2, MARCH/APRIL 2022

TABLE 1
For Each CPTC-2018 Team, the Number of Raw Alerts and
How They Are Compressed in Each Phase of SAGE

Alerts (raw) Alerts (filtered) Episodes ES/ESQ ESS/Traces AGs

T1 81,373 26,651 655 103 108 53
T2 42,474 4,922 609 86 92 7
T5 52,550 11,918 622 69 74 51
T7 47,101 8,517 576 63 73 23
T8 55,170 9,037 439 67 79 33
T9 51,602 10,081 1,042 69 110 30

attacker action. Thus, the main goal of this step is to clean

and aggregate alerts into sequences of attacker actions.

4.1.1 Alert Pre-Processing

An intrusion alert is composed of attributes such as, source
and destination IP addresses, a timestamp, a descriptive sig-
nature, and some protocol specific fields. SAGE utilizes
fields that are available for all alerts, regardless of the attack
vector. The input to SAGE is a set of observable intrusion
alerts O. Let o 2 O be an intrusion alert, with attributes o ¼
Fig. 2. The distribution of alerts per attack stage for the CPTC-2018
hsIP; dIP; sPort; dPort; ts; signi. Here sIP , sPort are the
teams. Scanning-alerts are significantly more frequent than exploitation-
attacker’s IP and port number and dIP , dPort are the vic- alerts.
tim’s IP and port number. ts is the time elapsed since the
first alert in seconds. sign is the alert signature attribute.
clearly show the interaction an attacker has with a victim,
Features are extracted as follows: (i) The destination port
without other attackers polluting the sequence, which helps
number is used to identify the likely targeted service tServ ¼
to preserve the temporal dependence between alerts. Thus
ServðdPortÞ from open source IANA mapping [48]. (ii) Intru-
an alert sequence is a windowed list of alerts between a
sion alerts typically contain many repeated alerts occurring
unique (attacker, victim) pair.
within a short time interval. Such high-frequency noise cre-
ates undesired artifacts in model learning. We filter all alerts Definition 1. An Alert Sequence (AS) is a windowed list of
with identical attributes that occur within a t-second interval, alerts occurring within a time window w. Let A be the set of
keeping only the first occurrence, i.e., we create a set OF  O unique attacker hosts, V be the set of unique victim hosts, and
such that for each observation hsIP; dIP; sPort; dPort; ts; C be the set of unique attack stages (mcat), then ASav;c ¼
signi 2 OF , there exists no hsIP; dIP; sPort; dPort; ts0 ; signi 2 o€av;c
1 . . . o€av;c
n , where ða; vÞ 2 A  V , c 2 C. Here, o €av;c
i ¼
O with ts ¼ 6 ts0 , and ts  t  ts0 < ts. In this paper, we use f^ av;c
o1 . . . o^v g is a multi-set of alerts for 1  i  n. For a
av;c

t ¼ 1:0 sec following [5], [42]. (iii) Instead of using the default window w and given oej ¼ ha; v; tServ; ts; ci 2 O, e we define
alert signature attribute, we augment alerts with attack stages o^av;c
j ¼ htServ; ts; ci such that P ð^
o
ts 1
av;c
Þ ¼ i  w, Pts ð^v Þ
oav;c
proposed by the Action-Intent Framework (AIF) of Moskal Pts ð^ oav;c
1 Þ  w, and P ð^
o
ts j
av;c
Þ  P ð^o
ts jþ1
av;c
Þ, for 1  j  v.
et al. [49] for categorizing them into their respective attack
Here, PX ð^oav;c ^av;c
j Þ is the projection of the X attribute of o j .
phases. The AIF provides a better representation of the attack 0
Furthermore, we use f ðiÞ to denote the first derivative
stages. Based on the MITRE ATT&CK framework [50], it was
the number of alerts per-window over time, i.e., f 0 ðiÞ ¼
of av;c
proposed specifically to map action-types to dynamic observ- Dj€
oi j
ables, such as intrusion alerts. The AIF provides a mapping Di (will be used to define slope in Algorithm 1). In con-
mcat ¼ MapðsignÞ from alert signatures to attack stages (see trast to other works that use sIP and dIP as explicit features
appendix, which can be found on the Computer Society Digi- [24], [25], [26], we only use them to construct sequences.
tal Library at http://doi.ieeecomputersociety.org/10.1109/ This allows identification of related alerts originating from
TDSC.2021.3117348). (iv) Finally, the filtered set O e of intrusion different sources.
alerts oe is a 5-tuple oe ¼ hsIP; dIP; tServ; ts; mcati for each
o 2 OF . Fig. 2 shows the distribution of the attack stages 4.1.3 Aggregating AS Into Episode Sequences (ES)
across all six teams in the filtered CPTC-2018 dataset.
Intrusion alerts are aggregated into a group, such that they
likely belong to the same attacker action. In the literature,
4.1.2 Gathering Alerts Into Alert Sequences (AS) such an aggregation is called an attack episode [42]. We
There are three main methods for converting discrete observ- assume that these episodes closely characterize attacker
ables into sequences: aggregation based on (i) source IP: actions. Generally, low-severity alerts are so frequent that
showing the attacker’s perspective, (ii) destination IP: show- they subsume high-severity alerts. To overcome this, we
ing the victim’s perspective, and (iii) (source IP, destination treat each attack stage separately. Intuitively, we test the fre-
IP) pair: showing individual interactions between unique quency of all alerts in a windowed sequence: when the fre-
attackers and victims. We select (iii) because the sequences quency starts to increase (an up), we consider it the start of an

Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
NADEEM ET AL.: ALERT-DRIVEN ATTACK GRAPH GENERATION USING S-PDFA 735

Fig. 4. Episode sequences from CPTC-2018: Each sequence is a list of

tuples hst; et; mcat; mServi, ordered in time.

most frequently targeted service is mServav ¼ arg maxmserv j

oav;c
fPtServ ð€i Þ ¼ mserv : s  i  egj.
Fig. 3. Bursts of alerts from the same attack stage are aggregated into
episodes. Here, an attack sequence related to vulnerability scanning is
aggregated into two episodes. 4.2 Suffix-Based Probabilistic Deterministic Finite
Automaton (S-PDFA)
episode; when the frequency is continuously decreasing The insight provided by episode sequences is limited
and reaches a global minimum (a down), we consider it the because they fail to capture the temporal dependence
end of that episode (see example in Fig. 3). Episodes are between episodes. We use a suffix-based probabilistic deter-
the building block of SAGE. All extracted episodes are ministic finite automaton (S-PDFA) with Markovian proper-
collected and time-sorted in an episode sequence (see ties to summarize attacker strategies. It clusters similar
Algorithm 1). attack paths based on temporal and behavioral similarity. It
also brings infrequent severe episodes into the spotlight.
Algorithm 1. Alert to Episode Sequence Conversion This last requirement is problematic because most clustering
Input: Alert sequence: as approaches ignore infrequent patterns.
Output: Episode sequence: es In contrast to regular Markov chains, an automaton
1: def CONVERT_TO_ES(as) model is able to distinguish between episodes of the same
2: es = [] mcat with different contexts, e.g., a scanning event happen-
3: for (mcatx , asx ) in SPLIT_ON_MCAT(as) do ing at the start, and that happening mid-way through an
4: timed as = LEN(sub) for all sub in asx attack, when attackers have already gained some knowl-
5: slope = f 0 ðxÞ for all x in timed as edge, are treated differently. This makes them popular for
6: ups = GET_POSITIVE_SLOPES(slope) learning the behavior of software systems, such as commu-
7: downs = GET_NEGATIVE_SLOPES(slope) nication protocols and even malware, see e.g., [51], [52],
8: episodes = GET_EPISODES(ups, downs) [53], [54].
9: es.append((mcatx , ep)) for all ep in episodes
10: end for Definition 3. A Suffix-based Probabilistic Deterministic Finite
11: es = SORT_BY_EPISODE_START(es) Automaton (S-PDFA) is a 5-tuple A ¼ hQ; S; D; P; q0 i defin-
12: return es ing the machine structure: Q is a finite set of states; S is a finite
13: def GET_EPISODES(ups, downs) alphabet of symbols; D is a finite set of transitions; P : D !
14: episodes = [] ½0; 1 is the transition probability function, and q0 2 Q is the
15: for i in [0,...,LEN(upsÞ  1] do final state (due to suffix model). A transition d 2 D in an S-
16: if IS_DOWN_BETWEEN_UPS(i, i þ 1, downs) then PDFA is a tuple hq; q0 ; ai, where q; q0 2 Q are the target and
17: down = GET_LAST_DOWN(i, i þ 1, downs) source states, and a 2 S is a symbol. P is a function such that
18: episodes.append((ups½i, down)) P 0
q;a P ðhq; q ; aiÞ ¼ 1. Additionally, D is such that for every
19: end if
q 2 Q and a 2 S, there exists at most one hq; q0 ; ai 2 D, making
20: end for
the model (suffix) deterministic.
21: return episodes
A suffix automaton contains a single final state and does
not model starting states. Instead of generating a sequence
Definition 2. An Episode Sequence (ES) for an attacker a and
from the start, it generates sequences from the end. It still
victim v is a list of episodes, ESav ¼ epiav
1 . . . epim . An episode
av
represents a probability distribution over Sn for all 1  n.
is a 4-tuple epij ¼ hst ; et ; mcat ; mServ i for 1  j 
av av av av av
The probability of a sequence s ¼ a1 . . . an is computed along
m, where stav ; etav 2 R denote the start and end time of an epi-
the reverse path q0 an q1 an1 q2 . . . a1 qn , with hqi ; qiþ1 ; ani i 2 D,
sode, mcatav is the attack stage of an episode, and mServav is
called the
Q S-PDFA run. The sequence Q probability is then
the most frequently targeted service in an episode.
P ðsÞ ¼ 0i < n P ðhqi ; qiþ1 ; ani iÞ, where denotes a prod-
In essence, ES’s are aggregated sequences of alerts (see uct. For any trace, there exists a unique run due to suffix
Fig. 4). We construct ESav from a windowed alert sequence determinism. The Flexfringe automaton learning framework
of attack stage c, i.e., ASav;c ¼ o€av;c
1 . . . o€av;c
n . For each 1  s  [19] can be used to learn suffix models. Flexfringe imple-
0
e  n, the start time is st ¼ minðPts ð€
av
s ÞÞ if f ðsÞ ¼ 0 and
oav;c ments several automaton learning heuristics within the well-
0
f ðs þ 1Þ > 0; the end time is et ¼ maxðPts ð€
av
oe ÞÞ if f 0 ðeÞ ¼
av;c known state merging algorithms, such as state merging [55]
0
0 and f ðe  1Þ < 0; the attack stage is mcatav ¼ c, and the and DFASAT [56] (see [57] for details).

Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
736 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 19, NO. 2, MARCH/APRIL 2022

Fig. 5. A suffix tree for three traces. For any vertex, the previous vertex
happens chronologically in the future.

4.2.1 Input Trace Construction

Whereas an episode sequence may contain multiple attempts
to exploit a victim host, an S-PDFA models each attempt sep-
arately to find partial overlap in attacker strategies. To this
end, an ES is partitioned into episode subsequences (ESS)
when a low-severity episode follows a high-severity one.
SeverityðepiÞ is a user-defined function, determined by the
acceptable risk of a SOC. By default, scanning has low sever-
ity, exploitation has high severity and the rest of the enabler-
actions have medium severity (see appendix, available in the
online supplemental material).
Definition 4. Given an ESav ¼ epiav 1 . . . epim , define a break-
av

point as an index i such that Severityðepiav iþ1 Þ < i Þ.

Severityðepiav
An Episode Subsequence ESSav ¼ epiav s . . . epiav
s0 is a contig-
uous subsequence of ESav without break-points, i.e., ESav ¼
1 . . . epis . . . epis0 . . . epim . Every ESav is broken into its
epiav av av av

break-point-free subsequences ESav ¼ ESSav;1 . . . ESSav;k .

The S-PDFA learns on sequences of univariate symbols,
called traces. One trace is constructed per ESS. The symbols
signify the most apparent intent of episodes, defined by
hmcat; ThemeðmServÞi. ThemeðÞ groups services based on
Fig. 6. The S-PDFA model for CPTC-2018. The states are colored
their functionality (see appendix, available in the online according to the severity of the incoming symbol’s attack stage: red is
supplemental material). This gives 536 traces, which is small high, blue is medium, white is low.
but sufficient to learn insightful S-PDFAs.

visualizing the model until satisfied. Fortunately, the algo-

4.2.2 S-PDFA for SAGE
We opt for a suffix model because we are interested in pre-
dicting which episodes eventually lead to high-severity
attack stages. These attack stages are infrequent, and always
lie at the end of our input traces. Therefore, a suffix-automa-
ton model is used to predict the past, instead of predicting
the future. Each state in an S-PDFA model can be thought of
as a milestone achieved by an attacker.
Although Flexfringe uses prefix-based models, we obtain
a suffix-based one by simply reversing the input traces. We
choose the Flexfringe implementation of the Alergia algo-
rithm [58] because of limited data. For reversed traces, the
algorithm constructs a suffix tree (see Fig. 5 for an example).
The algorithm starts at the root of the suffix tree and itera-
tively tries to merge states based on the chosen merge crite-
ria. The parameter selection for model learning is guided by
the properties of input traces and some trial-and-error of
rithm learns these models in less than 0.5 seconds. Fig. 6
shows the S-PDFA for CPTC-2018, learned from all 536
traces to enable behavior comparison.
We use three important settings for learning an interpret-
able S-PDFA: (i) We limit which states are used to compute
statistics. The learning algorithm merges two states if it
does not find sufficient evidence that the states are different.
A lower bound on the data required for this evidence is con-
trolled by the state count and symbol count parameters.
Intuitively, it is better to use only frequently-occurring
states and transitions in the statistical tests, but the default
values of 50 and 25 are much too large for the limited
amount of high-severity episodes in the dataset. We set
both to 5, implying that a state in the suffix tree that occurs
only 5 times in total can provide sufficient evidence to pre-
vent a merge from happening. (ii) We use the Markovian
property, which dictates that for any given states q1 and q2 ,

Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
NADEEM ET AL.: ALERT-DRIVEN ATTACK GRAPH GENERATION USING S-PDFA
the previous transition labels have to be identical, i.e.,
hq10 ; q1 ; ai and hq20 ; q2 ; ai. It enforces that the incoming transi-
tion label for states is unique, which makes the model easier
to interpret. (iii) We utilize sink states. The core algorithm
continues merging until all states have either been merged
or added to the model. For infrequent states, there is typi-
cally insufficient evidence to prevent a merge and they can,
therefore, be merged with any of the states added in the pre-
vious iterations. The sink count parameter avoids this by
disallowing merges that occur sink count times or less,
which we set to 5. The states that occur less than sink count
times are not displayed in the learned model, which makes
it easier to interpret. That said, high-severity sink states are
interesting from behavioral perspective since they show the
rare exploitative actions. We perform post-processing to
include such high-severity sink states in the learned model.
This process salvages 13% of the sinks, which otherwise
would not have appeared in the attack graphs.
The chosen state merging algorithm ensures that only the
states with similar pasts are merged. The Markovian prop-
erty, in addition, forces that the immediate-future is identi-
cal. Thus, the occurrence of identical episodes leading to
different states highlights semantic differences, e.g., data
exfiltration|http may either be reached by service discovery
! code execution, or by vulnerability discovery ! privilege
escalation. Separate states will be learned for these two
types of data exfiltration, capturing their context.
4.2.3 S-PDFA Model Quality Evaluation
Evaluating model quality is a hard problem in grammatical
inference [57], [59]. Typically, it is measured using a trade-
off between model size and fit. We are mainly interested in
the insight provided by the S-PDFA. The initial suffix tree
shows the data as is, which provides insight but does not
show similarities between the different traces. The S-PDFA
shows such similarities by performing merges. Every such
merge generalizes from the training data, and assigns prob-
ability mass to unseen test data. We use Perplexity to quan-
tify model quality. It measures the prediction power of a
model, and has been used in grammatical1
PN inference compet-
itions [60], [61]. It is defined as 2N i¼1 log2 P ðxi Þ , where N is
the number of traces, and P ðxi Þ returns the probability of
the xi trace. The lower the value, the better the model fits with the
data. We compute perplexity for both, training and test data,
using an 80-20 split, where the former shows how well the
model fits the training data, and the latter shows how well
it captures patterns in the overall data.
Perplexity is computed for four suffix model-variants: (i)
suffix tree: plain representation of traces in a tree format, (ii)
Markov chain: standard statistical model, (iii) default S-
PDFA: an S-PDFA with default settings, (iv) SAGE S-PDFA:
an S-PDFA learned using the settings in this paper. Table 2
shows the perplexity for each variant. It shows that a suffix
tree provides the best fit with the training data, as expected.
The SAGE S-PDFA is about twice as “perplexed”. It is hard
to quantify how good this is exactly, but it is better than
what the Markov chain and the default S-PDFA achieve. On
the test data, SAGE S-PDFA gives the best perplexity value,
demonstrating that it accurately captures many patterns
present in the data.
Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
737
TABLE 2
Model Quality Evaluation (Perplexity) of Four Suffix
Variants on the CPTC-2018 Traces
Suffix Markov Default SAGE
tree chain S-PDFA S-PDFA
Training set 1265.4 13659.6 15136.5 2397.8
Holdout test set 13020.7 11617.8 11241.5 9884.6
Suffix tree and SAGE S-PDFA are the best on training and test data,
respectively.
4.3 Alert-Driven Attack Graphs
The S-PDFA assigns the same context to episodes that are
temporally and probabilistically similar, where context is
denoted by state identifiers. We first augment episode
sequences with their context, and then transform them into
attack graphs (AG) on a per-victim, per-objective basis.
4.3.1 Adding Context to Episode Sequences
The states of an S-PDFA provide contextual meaning to the
episodes’ attack stages. Existing work by Lin et al. [62] have
utilized this context to encode traces into state sequences for
clustering similar car-following behaviors. We follow the
same principle, and convert the episode sequences (ES) into
state sequences (ESQ). We run each episode subsequence
a1 . . . an through the model, which produces qn . . . q0 . A state
subsequence is an episode subsequence augmented with
state identifiers, i.e., q0 an q1 an1 q2 . . . a1 qn .
Definition 5. A State Sequence (ESQ) for an episode sequence
ESav ¼ ESSav;1 . . . ESSav;k is the concatenated sequence
ESQav ¼ sq1 sq2 . . . sqk , where sqi is the state subsequence
for ESSav;i for all 1  i  k.
4.3.2 Attack Graph Construction
The state sequences are transformed into alert-driven attack
graphs based on the specified objective and the victim host.
An objective obj 2 Obj is a 3 tuple hmcat; mServ; qi associ-
ated to a high-severity attack stage, represented by the last
six categories of the Action-Intent mapping (see appendix,
available in the online supplemental material). They are con-
sidered as end-goals since (a) they are typically the last
actions to appear in ESS, and (b) it is unlikely that medium-
severity actions, e.g., privilege escalation, are done to no end.
To support episode prioritization, an analyst can choose the
granularity of objectives, i.e., only attack stage hmcati, attack
stage and targeted service hmcat; mServi or the full tuple
hmcat; mServ; qi. By default, SAGE generates AGs on a per-
victim, per-objective basis, i.e., for an objective obj 2 Obj and
a victim v 2 V , only the state sequences that contain obj are
considered, i.e., fpath 2 ESQav jobj 2 pathg. In theory, this
produces jV j  jObjj attack graphs, many of which contain
shared paths. We aggregate AGs of a victim v and objectives
obj ¼ hmcat; mServ; qi and obj0 ¼ hmcat; mServ; q0 i, by add-
ing a new root node hmcat; mServi. This is because paths
leading to obj and obj0 tend to have shared vertices. On the
CPTC-2018 dataset, for 19 victims and 70 objectives, this step
results in 93 AGs instead of 1,330 (a reduction of 93%). Each
AG compresses over 500 alerts in less than 25 vertices, on
average.
738 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 19, NO. 2, MARCH/APRIL 2022
Fig. 7. An alert-driven attack graph: Vertices: Labels show hattack stage,
targeted service, state identifieri. Low-severity episodes are oval ,
medium-severity are boxes , high-severity are hexagons . The first epi-
sode in a path is yellow, the objective is black. Sinks are dotted . Edges:
Labels show seconds since the first alert. Colors show team affiliation:
T1 (Maroon), T2 (Orange), T5 (Green), T7 (black), T8 (Magenta), T9
(Purple).
In summary, the root of an attack graph is hmcat; mServi.
Other vertices are the unique items in path. Edges are
obtained by running a sliding window of length 2 over
path. The edge label shows the start-time attribute of each
episode, showing attack progression. In a state sequence, if
an objective is achieved multiple times, each attempt is
shown as an individual path in the graph. Also, to make the
strategy comparison easier, all teams that achieve an objec-
tive are shown in one graph, distinguishable by their edge
color. Fig. 7 shows an alert-driven attack graph’s anatomy.
4.3.3 Attack Graph Complexity Analysis
We evaluate the complexity of the AGs using the model
simplicity metric proposed by De Alvarenga et al. [40] for
process mining, i.e., SimplicityðAGÞ ¼ jV j
jEj , where jV j and
jEj are the number of vertices and edges, respectively. The
average simplicity of the CPTC-2018 AGs is 0.81, with 21.7
vertices on average (min: 3, max: 49) and 38.7 edges on aver-
age (min: 2, max: 174). Although the average number of ver-
tices is higher than [40], these AGs show the paths for all
teams, making strategy comparison much easier. Moreover,
Nadeem et al. [63] show that the S-PDFA AGs are more suc-
cinct than suffix tree- and Markov chain-based approaches.
4.4 Explainability Analysis of SAGE
We make conscious design decisions to make the entire
SAGE pipeline explainable. This is so that security analysts
can review the attack graphs (AG), reason about attacker
strategies, and discover new knowledge [64].
Fig. 7 shows the composition of an alert-driven AG. An
AG for a given (objective, victim) is a compressed represen-
tation of its relevant intrusion alerts. A vertex represents an
aggregation of alerts, i.e., an episode (defined by the sever-
ity of its attack stage, its context as determined by the S-
Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
TABLE 3
Experimental Dataset Summary (Before Filtering)
Dataset/Properties CPTC-2018 CPTC-2017 CCDC-2018
# alerts 330,270 43,611 1,052,281
# teams 6 9 Unknown
# IPs 42 494 2138
# services 160 168 2050
Duration (hrs) 9 11 25
Attacker hosts known? Yes No No
Victim hosts known? Yes No No
Dataset type Penetration Penetration Blue
testing testing teaming
PDFA, and the most frequently-targeted service within the
alerts). Some episodes may have the same shape, attack
stage, and targeted service, but different contexts, i.e., state
identifiers. This happens when these episodes are observed
in sequences with different futures and pasts. An AG may
also have multiple red vertices if the S-PDFA identifies dif-
ferent ways of obtaining the same objective, which happens
when the paths leading up to it are significantly different. A
path in an AG represents a sequence of episodes that leads
to an objective. Two paths overlap iff the S-PDFA has suffi-
cient evidence that they are similar, i.e., the episodes have
identical futures or similar pasts. In addition, we remove
the influence of (a) other actions in a path by constructing a
sequence with only the alerts between a specific (attacker,
victim), and (b) other attack attempts by modeling each one
as a separate path. A path can be traced starting from a yel-
low vertex, and following the time progression of the edge
labels, ending in one of the red vertices. This makes each
AG design- and algorithmically transparent, interpretable, and
scientifically explainable.
The S-PDFA is an intermediate step responsible for
modeling context. We specifically learn a suffix model to
highlight the infrequent severe episodes. The Markovian
property, together with sinks, makes the model components
interpretable . The deterministic nature of the model makes it
algorithmically transparent . The parameter settings are guided
by the input data, making the model design transparent.
5 DATASET AND EXPERIMENTAL SETUP
Dataset. Security testing competitions provide an ideal set-
ting for distributed multi-stage attacks in a controlled envi-
ronment. In this paper, we use three open-source intrusion
alert datasets: two datasets from the Collegiate Penetration
Testing Competition (CPTC) [65] for showing SAGE’s effi-
cacy, and one dataset from the Collegiate Cyber Defense
Competition (CCDC) [66] for showing SAGE’s generaliz-
ability. A summary of the datasets is given in Table 3.
The alert datasets are generated by different student
teams who are tasked to compromise a common fictitious
network. The CPTC-2017 dataset contains alerts by nine
teams (T2 to T10) targeting an electronic election infrastruc-
ture, while the CPTC-2018 dataset contains alerts by six
teams (T1, T2, T5, T7, T8, T9) targeting an automotive com-
pany. Naturally, some vulnerabilities are unique to the net-
work, while the others are typical of any misconfigured web
sever. Each team has access to fixed-IP machines that they
NADEEM ET AL.: ALERT-DRIVEN ATTACK GRAPH GENERATION USING S-PDFA 739

can use, either in collaboration, or in isolation to achieve

their objectives. The infrastructure is monitored by a Suri-
cata IDS [67], which records alerts on a per-team basis.
Beyond the attackers’ IP information, no other ground truth
is available regarding the attack progression and attacker
strategies. This imitates the real-world scenario where SOC
analysts i) determine how an attack happened, and ii) com-
pare attacker strategies for fingerprintable behaviors.
Experiments. We perform three set of experiments:

1) Strategy explanation. We analyze attack graphs gener-

ated from one infrastructure, i.e., CPTC-2018, and
demonstrate SAGE’s explainability aspect.
2) Model comparison. We perform a comparison between
the CPTC-2017 and CPTC-2018 S-PDFA models to
highlight infrastructure-related differences captured
by the learning algorithm.
3) Replication case study. We analyze attack graphs gen-
erated from the CCDC-2018 dataset — it contains
alerts from a blue team exercise, where the organiz-
ers serve as the red team. Other than a network
topology diagram (which seems like a web shop), no
other ground truth is available.
Parameters. In this paper, we set t ¼ 1:0 seconds to filter
repeated alerts [5], [42]. For window length w, we experi-
ment with w ¼ f60; 150; 300; 600g seconds, and choose w ¼
150 as a reasonable value. Smaller window sizes produce
longer alert sequences, which may cut the same behavior
across multiple episodes. As such, w should be tuned accord-
ing to the trade-off between analysis resolution and the num-
ber of alerts available per sequence. For model learning,
state count, symbol count, and sink count are set to 5. All
experiments are run in a Jupyter notebook executed on Intel
Xeon W-2123 quad-core processor and 32 GB RAM.

Fig. 8. Attack graph of data exfiltration over remoteware-cl. Three attacker

6 RESULTS AND DISCUSSION
Alert-driven attack graphs (AG) are aggregated representa-
tions of intrusion alerts, reflecting the actual pathways taken
by the attacker teams. The AGs are succinct, interpretable,
and generalizable.
6.1 Explaining Attacker Strategies in CPTC-2018
In this experiment, we analyze the AGs generated from
CPTC-2018. The S-PDFA finds a total of 70 contextual objec-
tives that are achieved by targeting 19 victim hosts. 330,270
alerts are represented by 93 AGs, where each AG shows how
the attack actually transpired. The end-to-end execution
time is 1.65 minutes, where 50% of this time is spent loading
the intrusion alerts. Below, we demonstrate how SAGE ena-
bles visual analytics for attack path interpretation, and high-
lights strategic differences for intelligence collection.
6.1.1 Comparing Individual Attack Paths
(1) Alert-driven attack graphs provide insights into the paths
explored by attackers. Fig. 8 shows the strategies of three
teams (the absence of other teams indicates that they were
unable to achieve this objective). This graph compresses 300
alerts into 25 vertices, enabling a SOC analyst to follow the
attack progression.
teams successfully exploit it: Teams 1 and 5 exploit it twice, and each sub-
sequent attempt is shorter than the first. The S-PDFA identifies three
ways of exploiting the objective based on the actions that lead up to it.
(2) Fig. 8 shows that T1, T5, and T8 exfiltrate data from
10.0.0.20 using a remote access service. The teams self-
reported that they had found a chatting application on this
host that contained credentials, which they exfiltrate using a
combination of privilege escalation and arbitrary code exe-
cution. The AG concretely shows how this was done. T5
finds two distinct paths to complete this objective: first at
around the 1.4-hour mark of the competition, and then later
at around the 4.5-hour mark. T1 also finds two paths, but
significantly later in the competition. The S-PDFA identifies
three distinct exfiltration states because of significant differ-
ences in the paths that reach these states. Clearly, the states
hdata_exfiltration, remoteware-cl, 17i and h. . . ,
116i are reached later in the competition with fewer steps,
implicitly capturing attackers’ increasing experience.
(3) Interestingly, an AG of data manipulation (Fig. 9)
results in a partial sub-graph of the AG from Fig. 8, due to
overlap in paths that attain both objectives. It shows three
variants of data manipulation, of which two are also present
in the exfiltration graph, i.e., hdata_manipulation,
remoteware-cl, 95i and h. . . , 288i. T5 finds one addi-
tional path to reach h. . . , 18i right after it has reached

Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
740 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 19, NO. 2, MARCH/APRIL 2022

Fig. 10. Identical and simultaneous attacks targeting multiple victim

hosts result in identical attack graphs.

6.1.3 Discovering Fingerprintable Paths

Fig. 9. An attack graph of data manipulation is a partial sub-graph of
Fig. 8 because of overlapping attack paths. After analyzing the AGs, we observe that different teams
often reach different objectives, and when they do reach the
same objective, their paths are very different. Moreover,
hdata_exfiltration, remoteware-cl, 17i from the
when a team reaches an objective multiple times, their paths
previous AG. These type of insights provide actionable
are highly similar. Thus, the uniqueness of the paths can be
intelligence to disrupt the cyber kill-chain [68].
used by SOC analysts as fingerprints to single-out attacker
teams. A fingerprint is a uniquely identifiable sequence of
6.1.2 Explaining Strategic Differences Across AGs
(1) In addition to comparing attack paths, SOC analysts can
also compare entire AGs for a broader view of the network,
e.g., the AGs of victims 10.0.1.40 and 10.0.1.41 for data exfil-
tration over http are identical, both in terms of the teams
that exploit it and the timestamps of their actions (see
Fig. 10). According to the network topology, these two hosts
handle authentication in the production network. The iden-
tical AGs indicate that both, T5 and T8 conduct a scripted
attack on these hosts.
(2) Fig. 11 shows T5, T7, and T8 conducting resource
hijacking over two hosts (.40, .41) using http, resulting in
highly similar AGs. T5 has an identical strategy for both
hosts. T7 does scans before manipulating accounts and con-
ducting a network DoS over .41, while later they only per-
form a scan and a network DoS over .40. Similarly, T8 does
a privilege escalation and code execution after network DoS
over .41, while they later only do a network DoS over .40
to achieve their objective. These differences show that
attackers tend to follow shorter paths after having success-
fully exploited a longer path. Out of all the attack paths dis-
covered in CPTC-2018, 84.5% subsequent paths are shorter Fig. 11. Similar attacks targeting multiple victim hosts result in overlap-
than an earlier attempt, for a given objective. ping attack graphs.

Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
NADEEM ET AL.: ALERT-DRIVEN ATTACK GRAPH GENERATION USING S-PDFA 741

TABLE 4 TABLE 5
Number of Unique Paths Discovered by the CPTC-2018 CPTC-2018 Team Ranking Based on the Fraction of Unique
Teams, per Objective Severe Vertices Discovered.

# Vertices
Teams # Active hosts Weighted average percentage
High-sev Medium-sev
(out of 70) (out of 148)
T5 2/5 28 (40%) 40 (27%) 35.67
T1 5/6 18 (26%) 62 (42%) 31.33
T9 5/5 23 (33%) 36 (24%) 30.0
T7 6/6 22 (31%) 26 (18%) 26.67
T8 6/7 15 (21%) 32 (22%) 21.33
T2 3/6 3 (4%) 8 (5%) 4.33

15.8 episodes, on average, which provides solid evidence

to uniquely identify a team.

6.1.4 Ranking Attacker Performance

Each vertex in an alert-driven AG signifies a new milestone
or objective achieved by an attacker. We argue that the frac-
tion of unique milestones discovered by an attacker provides
a metric for their performance, which can be used by SOC
analysts and red teams to rank interesting attacker hosts. A
medium-severity episode serves as a stepping-stone towards
a high-severity episode. Hence, we propose that high-sever-
ity vertices hold twice the weight of medium-severity verti-
ces, i.e., ð2 highÞþð13 mediumÞ .
Table 5 shows the evaluation of CPTC-2018 teams based
on all 93 AGs, ranked according to their performance. It
shows, for each team, the number of active attacker hosts,
and the unique milestones they discover. T5 is the most
high-profile team, even though only two team members
were responsible for discovering all the high-severity verti-
ces. T1 comes in second, solely because they discover the
highest number of medium-severity vertices. Finally, T2 dis-
covers the least number of severe vertices. These results are
also corroborated by Table 4, which shows T2 being unsuc-
cessful in discovering many of the objectives.

6.2 CPTC-2017 versus CPTC-2018 S-PDFA

Fingerprintable objectives are highlighted (and the number of fingerprints is
shown as x ).
episodes, i.e., path, that leads to a certain objective. It is
entirely possible that other paths (or sub-paths) leading to
common objectives are also unique, but we take a conser-
vative approach and say that an objective is fingerprint-
able if only a single team reaches it. Also, an objective can
have more than one fingerprint if a team finds multiple
unique ways to reach it. Table 4 shows the number of
unique paths each team discovers during CPTC-2018. 17
objectives are fingerprintable, with a total of 29 unique
fingerprints. We found 9 fingerprints for two objectives
reached by T1; 10 fingerprints for four objectives reached
by T5; 7 fingerprints for five objectives reached by T7; and
3 fingerprints for three objectives reached by T9. We
found no dedicated fingerprintable objectives for T2 and
T8. Also, since a fingerprint is a sequence of episodes, lon-
ger fingerprints provide more evidence for identifying an
attacker. The fingerprints we discover are composed of
Comparison
In this experiment, we analyze the extent to which an S-
PDFA model summarizes attacker strategies, including
infrastructure-related nuances, present in an alert dataset.
We learn two S-PDFA models, one for CPTC-2018 (Fig. 6)
and the other for CPTC-2017 (see appendix, available in the
online supplemental material) using the same method and
parameter settings. Both models summarize the various
paths taken by the teams to reach high-severity states. Sev-
eral thousands of alerts are modeled by less than 75 states.
The 2017 model is larger than the 2018 model, with signifi-
cantly more transitions. This is because the 2017 dataset has
more traces, and there is more variability per-trace, i.e., the
2017 teams exhibit more diverse sub-behaviors than the 2018
teams.
Table 6 shows an exhaustive comparison between the two
models in terms of the services used to carry out the objec-
tives. It shows the number of unique objectives exploited by
the teams via a particular service. This includes the different
ways of reaching the same objective, as identified by the S-
PDFA model. The most striking difference between the

Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
742 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 19, NO. 2, MARCH/APRIL 2022
TABLE 6
Differences in the Objectives Obtained in CPTC-2017 and
CPTC-2018 as modeled by the S-PDFA
models is that there are, on average, more paths leading to
severe states in the 2017 model than in the 2018 one.
This means that a control could be more easily placed in
the 2018 network, making it impossible for attackers to
complete certain objectives. This is important because
the 2018 teams exploit each service for completing more
objectives, on average. However, the same does not hold
for the 2017 model as it has additional pathways for
attackers to evade controls.
Table 6 shows that the teams in the election scenario
(2017) exfiltrate data using a specific type of browser, while
this service is never even scanned in the automotive sce-
nario (2018). They also conduct DoS attacks using the net-
work time protocol (clocksync), and use services associated
to authentication and storage that are never used in the
automotive scenario. On the other hand, teams conduct
privilege escalation on a web hosting service in the automo-
tive scenario, but never in the election scenario. Further-
more, while both team-sets scan and elevate privileges
related to email, only the teams in the election scenario man-
age to exploit it for exfiltrating data. The unassigned service
category is particularly intriguing because it refers to high
port numbers being targeted. SOC analysts for both the net-
works should analyze whether these open ports indicate a
misconfiguration in their networks.
Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
Fig. 12. Attack graph of data exfiltration over smtp for CCDC-2018. The
same attacker host makes 13 attempts. Paths starting from severe
attack stages are possible because the attack graphs show part of a full
attack campaign.
6.3 Case Study: Applying SAGE to CCDC-2018
The Collegiate Cyber Defense Competition (CCDC) dataset
is given as input to SAGE to verify whether it provides the
same interpretability and succinctness on a dataset that is
not related to penetration testing (see appendix, available in
the online supplemental material, for the resulting S-PDFA).
From 1,052,281 alerts, SAGE produces 139 AGs. The fact that
we do not have any information about the attacker/victim
hosts and the underlying infrastructure reinforces that
SAGE is generalizable, and is agnostic to host, dataset, and
infrastructure properties. The cases discussed in this section
verify that the alert-driven AGs require no expert knowledge
to be insightful.
Case 1 - Path Enumeration. The AG in Fig. 12 shows two
possible variants of data exfiltration over SMTP (email ser-
vice), which can be achieved using the following paths:
1) RPE, ACE, NetDoS, VulnDisc, RPE, ACE, Exfil
2) NetDoS, VulnDisc, RPE, ACE, Exfil
3) VulnDisc, RPE, ACE, NetDoS, Exfil
4) VulnDisc, NetDoS, Exfil
5) VulnDisc, ACE, Exfil
6) VulnDisc, RPE, ACE, Exfil
where RPE is root privilege escalation; ACE is arbitrary code
execution; VulnDisc is vulnerability discovery; Exfil is data
exfiltration, and NetDoS is network DoS. Explicitly enumerat-
ing attack paths in this way can help red teams come up
with creative strategies. The first two paths are especially
interesting because they start with a severe attack stage.
Since these alert-driven AGs show a segment of an on-going
campaign, starting from a severe attack stage indicates that
the attackers already had intelligence from elsewhere before
targeting this machine. Such paths are not intuitive when
constructing expert-driven AGs.
Case 2 - Shortest Path. Fig. 13 shows the AG for performing
Network DoS using NTP. It shows two possible variants,
starting from six different vertices. Various services are tar-
geted along the way, including http and microsoft-ds (data
sharing protocol). The different attacker hosts are highlighted
by different edge colors. This AG shows that it is possible to
obtain this objective with just two actions, i.e., data exfiltration
NADEEM ET AL.: ALERT-DRIVEN ATTACK GRAPH GENERATION USING S-PDFA 743

Fig. 13. Attack graph of network DoS over ntp for CCDC-2018. There are
six possible starting actions and two possible ways to reach the objective.

and network DoS. This happens at the 4-hour mark. About 30

minutes later, root privilege escalation is done leading to arbi-
trary code execution and Network DoS. This is a counter-
example where a subsequent path is longer than the first,
even though only a single IP is involved. SOC analysts can
further investigate whether these two attempts are indeed
made by the same attacker, or some behavioral artifact is at
play.
Case 3 - An Extra Attempt. Fig. 14 shows various ways to
conduct data exfiltration over https for victims 10.47.3.142
and 10.47.3.1. Both AGs are nearly identical, with one addi-
tional exfiltration attempt in the second AG towards the
end of the competition, made by a new attacker. SOC ana-
lysts can investigate why only one of the two machines
were targeted by this new attacker.

6.4 Practical Implications for CTI: A Discussion

CTI platforms convert cyber data into actionable intelli-
gence. Intrusion alerts play a critical role in this process,
and automated attacker strategy derivation is a major chal-
lenge. Existing tools that display attacker strategies via
attack graphs (AG) require network scans and vulnerabil-
ity information, which are often time-consuming and
outdated.
SAGE generates purely alert-driven attack graphs that
provide quick insight into attacker strategies, without expert
input. SAGE has an explainable architecture (Fig. 1), and can
directly augment existing intrusion detection systems. It is
released in a docker container for cross-platform support.
SAGE facilities attacker strategy analysis via advanced visu-
alizations. The attack graphs are a compressed representa-
tion of numerous alerts. Even though SAGE does not discard
any alert, the targeted nature of the attack graphs allow ana-
lysts to review large quantities of alerts without being
overwhelmed.
The analysis presented in this paper merely scratches the
surface of the intelligence that can be acquired from these
alert-driven AGs. They show clear attack progression and
allow strategy comparison. Fingerprintable paths can be
recorded for attacker re-identification. They also show that
attackers will often follow shorter paths to re-exploit an
objective, after they have already discovered a longer one.
We have rigorously evaluated SAGE with diverse data-
sets and against alternative modeling approaches. We show
that the AGs indeed model the teams’ self-reported claims.
As demonstrated in Section 6.3, SAGE is agnostic to net-
work, host, and alert properties: with no ground truth about
Fig. 14. Highly similar attack graphs of two victims from CCDC-2018.
The graphs are identical, except for an additional attack attempt by a
new attacker in the second graph.
any aspect of the dataset, SAGE produces succinct and
interpretable attack graphs, capable of actionable insights.
As a potential use-case, the attack graphs can also be
used to evaluate IDS rules. The quality of alert-driven AGs
is directly dependent on the quality of the IDS rules. Thus,
if an attacker exploits the system, and that path is missing
from the AGs, it is an indication of missing or faulty rules.
7 LIMITATIONS AND FUTURE WORK
Learning from infrequent sequences is a hard problem. A
side-effect of including high-severity sinks in the state sequen-
ces is that the corresponding AG might show distinct objec-
tive-types for similar sequences. Although this happens
rarely, handling this problem is left as future work. Second,
only the state sequences that reach an objective are part of its
corresponding AG. It is possible that the attackers divide their
tasks such that the full attack path is visible across multiple
sequences. The AS construction resolution needs to be
changed in order to handle this scenario. Third, the S-PDFA is
sensitive to small perturbations in the sequences at test-time.

Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
744 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 19, NO. 2, MARCH/APRIL 2022
To build resilience, perturbed traces can be added to the train-
ing dataset at learning time. Note that oversampling will alter
the true data distribution, which is why we do not opt for this
solution. Lastly, we do not yet have a metric to measure model
interpretability. Metrics like AIC, BIC, and Perplexity produce
arbitrary values for models learned on different parameters,
making the comparison meaningless.
Future work will focus on: (a) evaluating the adversarial
robustness of SAGE; (b) deploying SAGE during a security
competition to measure its effectiveness; and (c) building
alert-driven AGs on the fly to monitor evolving threats.
8 CONCLUSION
Intrusion alerts play a critical role in extracting intelligence
about attacker strategies, which is mostly a labor-intensive
and expert knowledge-driven process. To the best of our
knowledge, SAGE is the first tool that generates purely alert-
driven attack graphs (AG), without a priori expert knowl-
edge. We elaborate upon SAGE’s sequence learning pipeline,
which is fully transparent, interpretable and explainable. As
a core building block, SAGE utilizes a suffix-based probabi-
listic deterministic finite automaton (S-PDFA) — a model
that leverages the temporal and probabilistic dependence
between alerts. The S-PDFA brings infrequent severe alerts
into the spotlight without discarding any low-severity alerts.
Targeted attack graphs are then extracted on a per-victim,
per-objective basis. Using several use-cases, we demonstrate
the practical utility of SAGE’s AGs.
Our extensive experiments show that the AGs provide a
clear picture of the attack progression, and capture the strate-
gies of the participating teams. Specifically for CPTC-2018,
SAGE compresses over 330k alerts in 93 AGs in under a min-
ute. These AGs can be used for both, forensic analysis of the
attacks, and intelligence collection: (i) They show exactly
how specific attacks transpired and reveal that attackers fol-
low shorter paths to re-exploit objectives 84.5% of the time;
(ii) They discover 29 uniquely identifiable attack paths, com-
posed of 15.8 episodes on average; (iii) They rank attackers
based on the severity of their actions, showing that Team 5
visits the highest, while Team 2 visits the lowest number of
severe vertices. SAGE is agnostic to host and network prop-
erties: SAGE is capable of producing insightful attack graphs
even when no ground truth about attackers and the target
network is available. SAGE is released in a docker container
for cross-platform support.
ACKNOWLEDGMENTS
We thank Profs. Bill Stackpole and Daryl Johnson for their
guidance, and the reviewers for their constructive feedback
that has tremendously improved this manuscript.
REFERENCES
[1] W. U. Hassan et al., “NODOZE: Combatting threat alert fatigue
with automated provenance triage,” in Proc. Netw. Distrib. Syst.
Secur. Symp., 2019.
[2] T. Casey, “Survey: 27 percent of it professionals receive more than
1 million security alerts daily,” 2018. Accessed: Jul. 08, 2021.
[Online]. Available: https://www.imperva.com/blog/27-percent-
of-it-professionals-receive-more-than-1-million-security-alerts-daily
Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
[3] R. Sadoddin and A. Ghorbani, “Alert correlation survey: Frame-
work and techniques,” in Proc. Int. Conf. Privacy Secur. Trust:
Bridge Gap Between PST Technol. Bus. Services, 2006, pp. 1–10.
[4] S. Salah, G. Macia-Fernandez, and J. E. DıAz-Verdejo, “A model-
based survey of alert correlation techniques,” Comput. Netw., vol. 57,
pp. 1289–1317, 2013.
[5] F. M. Alserhani, “Alert correlation and aggregation techniques for
reduction of security alerts and detection of multistage attack,”
Int. J. Adv. Stud. Comput. Sci. Eng., vol. 5, 2016, Art. no. 1.
[6] L. Williams, R. Lippmann, and K. Ingols, “GARNET: A graphical
attack graph and reachability network evaluation tool,” in Proc.
Int. Workshop Vis. Comput. Secur., 2008, pp. 44–59.
[7] M. Chu, K. Ingols, R. Lippmann, S. Webster, and S. Boyer,
“Visualizing attack graphs, reachability, and trust relationships
with NAVIGATOR,” in Proc. 7th Int. Symp. Vis. Cyber Secur., 2010,
pp. 22–33.
[8] M. Angelini, N. Prigent, and G. Santucci, “PERCIVAL: Proactive
and reactive attack and response assessment for cyber incidents
using visual analytics,” in Proc. IEEE Symp. Vis. Cyber Secur., 2015,
pp. 1–8.
[9] S. Roschke, F. Cheng, and C. Meinel, “A new alert correlation
algorithm based on attack graph,” in Proc. Comput. Intell. Secur.
Inf. Syst., 2011, pp. 58–67.
[10] C. Liu, A. Singhal, and D. Wijesekera, “Using attack graphs in
forensic examinations,” in Proc. 7th Int. Conf. Availability Rel.
Secur., 2012, pp. 596–603.
[11] S. Noel, M. Elder, S. Jajodia, P. Kalapa, S. O’Hare, and K. Prole,
“Advances in topological vulnerability analysis,” in Proc. Cyberse-
cur. Appl. Technol. Conf. Homeland Secur., 2009, pp. 124–129.
[12] X. Ou, S. Govindavajhala, and A. W. Appel, “Mulval: A logic-
based network security analyzer,” in Proc. USENIX Secur. Symp.,
2005, pp. 113–128.
[13] M. L. Artz, “NetSPA: A network security planning architecture,”
PhD dissertation, Dept. Elect. Eng. Comput. Sci., Massachusetts
Inst. Technol., Cambridge, MA, USA, 2002.
[14] S. Jha, O. Sheyner, and J. Wing, “Two formal analyses of attack
graphs,” in Proc. 15th IEEE Comput. Secur. Found. Workshop, 2002,
pp. 49–63.
[15] C. Sillaber, C. Sauerwein, A. Mussmann, and R. Breu, “Data qual-
ity challenges and future research directions in threat intelligence
sharing practice,” in Proc. ACM Workshop Inf. Sharing Collaborative
Secur., 2016, pp. 65–70.
[16] A. Nadeem, S. Verwer, and S. J. Yang, “SAGE: Intrusion alert-
driven attack graph extractor,” in Proc. IEEE Symp. Vis. Cyber
Secur., 2021.
[17] M. van Bekkum, M. de Boer, F. van Harmelen, A. Meyer-Vitali ,
and A. T. Teije, “Modular design patterns for hybrid learning and
reasoning systems,” Applied Intelligence, Springer, pp. 1–19, 2021.
[18] F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer,
“Comprehensive approach to intrusion detection alert correlation,”
IEEE Trans. Dependable Secure Comput., vol. 1, no. 3, pp. 146–169,
Third Quarter 2004.
[19] S. Verwer and C. A. Hammerschmidt, “Flexfringe: A passive
automaton learning package,” in Proc. IEEE Int. Conf. Softw. Main-
tenance Evol., 2017, pp. 638–642.
[20] RIT, 2021. Accessed: Jul. 08, 2021. [Online]. Available: https://
globalcptc.org/
[21] WRCCDC, 2021. Accessed: Jul. 08, 2021. [Online]. Available:
http://www.nationalccdc.org/
[22] D. Shackleford, “Who’s using cyberthreat intelligence and how?,”
SANS Institute, 2015.
[23] P. Ning, Y. Cui, and D. S. Reeves, “Constructing attack scenarios
through correlation of intrusion alerts,” in Proc. 9th ACM Conf.
Comput. Commun. Secur., 2002, pp. 245–254.
[24] X. Qin and W. Lee, “Discovering novel attack strategies from
INFOSEC alerts,” in Proc. Eur. Symp. Res. Comput. Secur., 2004,
pp. 439–456.
[25] B. Zhu and A. A. Ghorbani, “Alert correlation for extracting attack
strategies,” Int. J. Netw. Secur., vol. 3, pp. 244–258, 2006.
[26] C.-H. Wang and Y.-C. Chiou, “Alert correlation system with auto-
matic extraction of attack strategies by using dynamic feature
weights,” Int. J. Comput. Commun. Eng., vol. 5, pp. 1–10, 2016.
[27] S. Haas and M. Fischer, “GAC: Graph-based alert correlation for the
detection of distributed multi-step attacks,” in Proc. 33rd Annu.
ACM Symp. Appl. Comput., 2018, pp. 979–988.
NADEEM ET AL.: ALERT-DRIVEN ATTACK GRAPH GENERATION USING S-PDFA
[28] R. Shittu, A. Healing, R. Ghanea-Hercock, R. Bloomfield, and
M. Rajarajan, “Intrusion alert prioritisation and attack detection
using post-correlation analysis,” Comput. Secur., vol. 50, pp. 1–15,
2015.
[29] S. McElwee, J. Heaton, J. Fraley, and J. Cannady, “Deep learning
for prioritizing and responding to intrusion detection alerts,” in
Proc. IEEE Mil. Commun. Conf., 2017, pp. 1–5.
[30] K. Kaynar, “A taxonomy for attack graph generation and usage
in network security,” J. Inf. Secur. Appl., vol. 29, pp. 27–56,
2016.
[31] P. Ning, D. Xu, C. G. Healey, and R. S. Amant, “Building attack
scenarios through integration of complementary alert correlation
method,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2004, pp. 97–111.
[32] H. Hu, J. Liu, Y. Zhang, Y. Liu, X. Xu, and J. Huang, “Attack sce-
nario reconstruction approach using attack graph and alert data
mining,” J. Inf. Secur. Appl., vol. 54, 2020, Art. no. 102522.
[33] J. Homer, A. Varikuti, X. Ou, and M. A. McQueen , “Improving
attack graph visualization through data reduction and attack
grouping,” in Proc. Int. Workshop Vis. Comput. Secur., 2008,
pp. 68–79.
[34] K. Ingols, M. Chu, R. Lippmann, S. Webster, and S. Boyer,
“Modeling modern network attacks and countermeasures using
attack graphs,” in Proc. Annu. Comput. Secur. Appl. Conf., 2009,
pp. 117–126.
[35] J. Navarro et al., “HuMa: A multi-layer framework for threat anal-
ysis in a heterogeneous log environment,” in Proc. Int. Symp.
Found. Practice Secur., 2017, pp. 144–159.
[36] J. Navarro, V. Legrand, A. Deruyver, and P. Parrend, “OMMA:
Open architecture for operator-guided monitoring of multi-step
attacks,” EURASIP J. Inf. Secur., vol. 2018, 2018, Art. no. 6.
[37] M. Landauer, F. Skopik, M. Wurzenberger, W. Hotwagner, and
A. Rauber, “A framework for cyber threat intelligence extraction
from raw log data,” in Proc. IEEE Int. Conf. Big Data, 2019,
pp. 3200–3209.
[38] Q. Lin, S. Adepu, S. Verwer, and A. Mathur, “TABOR: A graphical
model-based approach for anomaly detection in industrial control
systems,” in Proc. Asia Conf. Comput. Commun. Secur., 2018,
pp. 525–536.
[39] A. Nadeem, C. Hammerschmidt, C. H. Ga~ nan, and S. Verwer,
“Beyond labeling: Using clustering to build network behavioral
profiles of malware families,” Malware Analysis Using Artificial
Intelligence and Deep Learning. Berlin, Germany: Springer, 2021.
[40] S. C. De Alvarenga , S. Barbon Jr , R. S. Miani, M. Cukier, and
B. B. Zarpel~ ao, “Process mining and hierarchical clustering to
help intrusion alert visualization,” Comput. Secur., vol. 73,
pp. 474–491, 2018.
[41] Y. Chen, Z. Liu, Y. Liu, and C. Dong, “Distributed attack modeling
approach based on process mining and graph segmentation,”
Entropy, vol. 22, 2020, Art. no. 1026.
[42] S. Moskal, S. J. Yang, and M. E. Kuhl, “Extracting and evaluating
similar and unique cyber attack strategies from intrusion alerts,”
in Proc. IEEE Int. Conf. Intell. Secur. Inform., 2018, pp. 49–54.
[43] J. Liu, B. Liu, R. Zhang, and C. Wang, “Multi-step attack scenarios
mining based on neural network and Bayesian network attack
graph,” in Proc. Int. Conf. Artif. Intell. Secur., 2019, pp. 62–74.
[44] J. B. Lee, R. A. Rossi, S. Kim, N. K. Ahmed, and E. Koh, “Attention
models in graphs: A survey,” ACM Trans. Knowl. Discov. Data,
vol. 13, 2019, Art. no. 62.
[45] M. T. Ribeiro, S. Singh, and C. Guestrin, ““Why should I trust you?”
Explaining the predictions of any classifier,” in Proc. 22nd ACM
SIGKDD Int. Conf. Knowl. Discov. Data Mining, 2016, pp. 1135–1144.
[46] R. Roscher, B. Bohn, M. F. Duarte, and J. Garcke, “Explainable
machine learning for scientific insights and discoveries,” IEEE
Access, vol. 8, pp. 42200–42216, 2020.
[47] N. Munaiah, A. Rahman, J. Pelletier, L. Williams, and A. Meneely,
“Characterizing attacker behavior in a cybersecurity penetration
testing competition,” in Proc. ACM/IEEE Int. Symp. Empir. Softw.
Eng. Meas., 2019, pp. 1–6.
[48] IANA, 2021. Accessed: Jul. 08, 2021. [Online]. Available: https://
www.iana.org/assignments/service-names-port-numbers/
service-names-port-numbers.xhtml
[49] S. Moskal and S. J. Yang, “Cyberattack action-intent-framework
for mapping intrusion observables,” 2020, arXiv:2002.07838.
[50] B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pen-
nington, and C. B. Thomas, “Mitre ATT&CK: Design and phil-
osophy,” Tech. Rep., Jul. 2018.
Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.
745
[51] W. Cui, J. Kannan, and H. J. Wang, “Discoverer: Automatic proto-
col reverse engineering from network traces,” in Proc. 16th USE-
NIX Secur. Symp., 2007, Art. no. 14.
[52] J. De Ruiter and E. Poll, “Protocol state fuzzing of TLS
implementations,” in Proc. 24th USENIX Conf. Secur. Symp., 2015,
pp. 193–206.
[53] C. Y. Cho, D. Babic, E. C. R. Shin, and D. Song, “Inference and analy-
sis of formal models of botnet command and control protocols,” in
Proc. 17th ACM Conf. Comput. Commun. Secur., 2010, pp. 426–439.
[54] P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda,
“Prospex: Protocol specification extraction,” in Proc. 30th IEEE
Symp. Secur. Privacy, 2009, pp. 110–125.
[55] K. J. Lang, B. A. Pearlmutter, and R. A. Price, “Results of the
Abbadingo one DFA learning competition and a new evidence-
driven state merging algorithm,” in Proc. Int. Colloq. Grammatical
Inference, 1998, pp. 1–12.
[56] M. J. Heule and S. Verwer, “Software model synthesis using satis-
fiability solvers,” Empir. Softw. Eng., vol. 18, pp. 825–856, 2013.
[57] C. De la Higuera, Grammatical Inference: Learning Automata and
Grammars. Cambridge, U.K.: Cambridge Univ. Press, 2010.
[58] R. C. Carrasco and J. Oncina, “Learning stochastic regular gram-
mars by means of a state merging method,” in Proc. Int. Colloq.
Grammatical Inference, 1994, pp. 139–152.
[59] R. Parekh and V. Honavar, “Learning DFA from simple exam-
ples,” Mach. Lang., vol. 44, pp. 9–35, 2001.
[60] S. Verwer, R. Eyraud, and C. De La Higuera, “PAUTOMAC: A
probabilistic automata and hidden Markov models learning com-
petition,” Mach. Learn., vol. 96, pp. 129–154, 2014.
[61] B. Balle, R. Eyraud, F. M. Luque, A. Quattoni, and S. Verwer,
“Results of the sequence prediction challenge (SPiCe): A competi-
tion on learning the next symbol in a sequence,” in Proc. 13th Int.
Conf. Grammatical Inference, 2017, pp. 132–136.
[62] Q. Lin, Y. Zhang, S. Verwer, and J. Wang, “MOHA: A multi-mode
hybrid automaton model for learning car-following behaviors,”
IEEE Trans. Intell. Transp. Syst., vol. 20, no. 2, pp. 790–796, Feb.
2019.
[63] A. Nadeem, S. Verwer, S. Moskal, and S. J. Yang, “Enabling visual
analytics via alert-driven attack graphs,” in Proc. ACM Conf. Com-
put. Commun. Secur., 2021.
[64] A. Adadi and M. Berrada, “Peeking inside the black-box: A survey
on explainable artificial intelligence (XAI),” IEEE Access, vol. 6,
pp. 52138–52160, 2018.
[65] RIT, “CPTC dataset,” 2018. Accessed: Jul. 08, 2021. [Online].
Available: https://mirror.rit.edu/cptc/
[66] F. Hassanabad, “CCDC dataset,” 2019. Accessed: Jul. 08, 2021.
[Online]. Available: https://github.com/FrankHassanabad/
suricata-sample-data
[67] OSIF, 2019. Accessed: Jul. 08, 2021. [Online]. Available: https://
suricata.readthedocs.io/en/suricata-6.0.3/
[68] E. M. Hutchins et al., “Intelligence-driven computer network
defense informed by analysis of adversary campaigns and intru-
sion kill chains,” Leading Issues in Information Warfare & Security
Research, vol. 1, p. 80, 2011.
Azqa Nadeem received the BS degree from the National University of
Science and Technology, Islamabad, Pakistan, in 2015 and the MS
degree (cum laude) in 2018 from the Delft University of Technology, Delft,
The Netherlands, where she is currently working toward the PhD degree
with the Cyber Analytics Lab. Her research interests include development
of explainable sequential machine learning systems for network security
applications. She was the recipient of the JvEffen Excellence Scholarship
in 2016, and the Best Graduate Award in 2019 from the Delft University of
Technology.
Sicco Verwer is currently an associate professor with the Delft Uni-
versity of Technology in machine learning for cybersecurity. He is the
head of TU Delft Cyber Analytics Lab where he works on understand-
able AI for intrusion detection and software understanding. His team
won several AI challenges including ones on learning software mod-
els, automated reverse engineering, and adversarial machine learn-
ing. He received many grants and awards for his research including
prestigious VENI and VIDI grants from NWO, and a test-of-time award
from ECMLPKDD for his pioneering work on discrimination-free
classification.
746 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 19, NO. 2, MARCH/APRIL 2022

Stephen Moskal received the BS and MS degrees in computer engi- Shanchieh Jay Yang (Senior Member, IEEE) received the MS and PhD
neering from the Rochester Institute of Technology (RIT), Rochester, degrees in electrical and computer engineering from the University of
New York, in 2016. He is currently working toward the PhD degree in Texas at Austin, Austin, Texas, in 1998 and 2001, respectively. He is cur-
engineering at the Rochester Institute of Technology, Rochester, New rently a professor with the Department of Computer Engineering and
York. His current research interests include the simulation and model- director of Global Outreach for Global Cybersecurity Institute, Rochester
ing of cyber-attack scenarios and behaviors along with the application Institute of Technology. His research interests include cyber attack model-
of deep machine learning techniques to cyber security. He has devel- ing, machine learning, and simulation to enhance cyber situational aware-
oped concepts such as the Attacker Behavior Model (ABM) for cyber ness and anticipatory cyber defense. He was a NSF Trusted CI fellow in
threat simulations and the Attack-Action Framework (AIF) to describe 2019 and a NSF Trusted CI TTP fellow in 2020. He was recognized in
the intentions of a cyber-adversary over an attack scenario. Most 2019 with IEEE Region 1 Outstanding Teaching in an IEEE Area of Inter-
recently his effort has been applying transfer learning techniques to est Award for outstanding leadership and contributions to cybersecurity
leverage information cyber security texts to aid in the interpretation and computer engineering education.
and classification of IDS alert descriptions to the AIF. He is expected
to graduate with a doctor of engineering degree in 2021.
" For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/csdl.

Authorized licensed use limited to: JNT University Kakinada. Downloaded on May 09,2022 at 16:25:23 UTC from IEEE Xplore. Restrictions apply.