A systematic survey on multi-step attack detection

Abstract Since the beginning of the Internet, cyberattacks have threatened users and organisations. They have become more complex concurrently with computer networks. Nowadays, attackers need to perform several intrusion steps to reach their final objective. The set of these steps is known as multi-step attack , multi-stage attack or attack scenario . Their multi-step nature hinders intrusion detection, as the correlation of more than one action is needed to understand the attack strategy and identify the threat. Since the beginning of 2000s, the security research community has tried to propose solutions to detect this kind of threat and to predict further steps. This survey aims to gather all the publications proposing multi-step attack detection methods. We focus on methods that go beyond the detection of a symptom and try to reveal the whole structure of the attack and the links between its steps. We follow a systematic approach to bibliographic research in order to identify the relevant literature. Our effort results in a corpus of 181 publications covering 119 methods, which we describe and classify. The analysis of the publications allows us to extract some conclusions about the state of research in multi-step attack detection. As far as we know, this is the first survey fully dedicated to multi-step attack detection methods as mechanisms to reveal attack scenarios composed of digital traces left by attackers.