Home

Awesome

SAGE (IntruSion alert-driven Attack Graph Extractor)

Repository to accompany our publications

"SAGE: Intrusion Alert-driven Attack Graph Extractor" at VizSec'21, and

"Alert-driven Attack Graph Generation using S-PDFA" at TDSC'21.

Hassle-free way to run SAGE

Switch to the docker branch to download and run SAGE inside a docker container. No additional installations are required in that case.

Run SAGE yourself

Requires

Usage

python sage.py path_to_json_files experiment_name [-h] [-t T] [-w W] [--timerange STARTRANGE ENDRANGE] [--dataset {cptc,other}] [--keep-files]

Required positional arguments:

Ideal setting: One json file for each attacker/team. Filename considered as attacker/team label.

Figures, trace files, model files, attack graphs are saved with this prefix for easy identification.

Options:

If not provided, the default values of (0,100) are used, meaning alerts from 0-th to 100-th hour (relative to the start of the alert capture) are parsed.

Since the IP addresses of the attackers are known for the CPTC dataset, irrelevant alerts are filtered out.

By default, the generated dot files with the attack graphs are deleted. They might, however, be useful for analytics or testing.

Examples:

Tip: in case you often use the same non-default values, you can create an alias (e.g alias sage="python sage.py -t 1.5 --dataset cptc --keep-files" and then run sage alerts/cptc-2017/ exp-2017)

First time use

If you use SAGE in a scientific work, consider citing the following papers:

@inproceedings{nadeem2021sage,
  title={SAGE: Intrusion Alert-driven Attack Graph Extractor},
  author={Nadeem, Azqa and Verwer, Sicco and Yang, Shanchieh Jay},
  booktitle={Symposium on Visualization for Cyber Security (Vizec)},
  publisher={IEEE},
  year={2021}
}
@article{nadeem2021alert,
  title={Alert-driven Attack Graph Generation using S-PDFA},
  author={Nadeem, Azqa and Verwer, Sicco and Moskal, Stephen and Yang, Shanchieh Jay},
  journal={IEEE Transactions on Dependable and Secure Computing (TDSC)},
  year={2021},
  publisher={IEEE}
}
@inproceedings{nadeem2021enabling,
  title={Enabling visual analytics via alert-driven attack graphs},
  author={Nadeem, Azqa and Verwer, Sicco and Moskal, Stephen and Yang, Shanchieh Jay},
  booktitle={SIGSAC Conference on Computer and Communications Security (CCS)},
  year={2021},
  publisher={ACM}
}

Azqa Nadeem

TU Delft