Chinese Journal of Network and Information Security ›› 2017, Vol. 3 ›› Issue (4): 58-68.doi: 10.11959/j.issn.2096-109x.2017.00148

• Papers • Previous Articles     Next Articles

Research on attack scenario reconstruction method based on causal knowledge discovery

Di FAN1(),Jing LIU1,2,3,Jun-xi ZHUANG1,2,3,Ying-xu LAI1,2,3   

  1. 1 Faculty of Information Technology,Beijing University of Technology,Beijing 100124,China
    2 Beijing Key Laboratory of Trusted Computing,Beijing University of Technology,Beijing 100124,China
    3 National Engineering Laboratory for Critical Technologies of Information Security Classified Protection,Beijing University of Technology,Beijing 100124,China
  • Revised:2017-03-06 Online:2017-04-01 Published:2017-04-14
  • Supported by:
    Beijing Municipal Natural Science Foundation(4162006)

Abstract:

In order to discover the attack pattern from the distributed alert data and construct the attack scene,a method of finding the attack scene from the alert data generated by intrusion detection system was studied.Current research suffer from the problem that causal knowledge is complex and difficult to understand and it is difficult to automatically acquire the problem.An attack scenario reconstruction method based on causal knowledge discovery was proposed.According to the process of KDD,the sequence set of attack scenes was constructed by the correlation degree of IP attributes among alert data.Time series modeling was adopted to eliminate the false positives to reduce the attack scene sequence.Finally,causal relationship between the alert data was found by using probability statistics.Experiments on the DARPA2000 intrusion scenario specific data sets show that the method can effectively identify the multi-step attack mode.

Key words: intrusion detection, alert correlation, time series modeling, attack scenario reconstruction

CLC Number: 

No Suggested Reading articles found!