One significant drawback to currently available security products is their inabilty to correlate diverse sensor input. For
instance, by only using network intrusion detection data, a root kit installed through a weak username-password combination
may go unnoticed. Similarly, an administrator may never make the link between deteriorating response times from the
database server and an attacker exfiltrating trusted data, if these facts aren't presented together.
Current Security Information Management Systems (SIMS) can collect and represent diverse data but lack sufficient
correlation algorithms. By using a Process Query System, we were able to quickly bring together data flowing from many
sources, including NIDS, HIDS, server logs, CPU load and memory usage, etc. We constructed PQS models that describe
dynamic behavior of complicated attacks and failures, allowing us to detect and differentiate simultaneous sophisticated
attacks on a target network.
In this paper, we discuss the benefits of implementing such a multistage cyber attack detection system using PQS. We
focus on how data from multiple sources can be combined and used to detect and track comprehensive network security
events that go unnoticed using conventional tools.