| Intrusion scenarios building is a new development direction of intrusion detection technology.Compared with the traditional technology,it is more effective on reducing the number of false positives and false negatives while providing higher level attack strategies. By aggregating and correlating IDS alerts,this technology will provide more credible information for network security.There are two main problems in present intrusion scenarios building technology,the analysis result is not coresponding to the real intrusion scenarios and depends on knowledge database too much.This paper mainly research on enhancement methods to solve these problems.For the problems existed in the algorithms based on attribute differences,an improved algorithm is proposed.This algorithm gives new numerical attributes for IDS alerts data, and makes the attribute difference corresponding with the differnce of multi-attacks. Considering the drawbacks existed in the algorithms based on correlation to building intrusion scenarios,we propose an intrusion scenario building method using hidden Markov model,and carry out the goal of constructing higher level intrusion scenario automatically from numerous low-grade original intrusion detection alerts information.In order to simplify the treat process,our approach completes intrusion scenario building using the process of abstracting the data flow twice and backtracking it once on data streams.Experiment results on DARPA2000 IDS test dataset indicate that the proposed algorithm is efficient. |
PDF Full Text Request