| Along with the global information pushed by the internet, network information technology is increasingly popular and widespread. It is researched more and more deeply, and is applied in many aspects covering the academic, business and government. With the popularization of the internet, the network security is becoming an important issue affecting network performance, while the Internet has given the application flexible with his free, open and international characters; it puts forward higher requirements to security.Network security can be divided into two parts "attack", "anti". According to the target of attackers, it includes three areas: information, confidentiality, data integrity, service availability. Complex multi-step attack--Distributed Denial of service attacks is against the availability of services, it is popular due to been implemented relatively simple and got extremely harmful. In the views of security experts who defense the attacks, the perspective of network security research, which involved the following three areas: cryptography, safety certification system architecture, safe products including network protection, detection, response. The intrusion detection system is considered as the basis of security defense, since 1980 it has been firstly proposed by Anderson, it has been 30 years. The intrusion detection technology becomes more and more matured, but no matter the IDSs based on misuse detection or anomaly detection, they have the common defects that are higher false positive rate and result many same alarms. While attack also becomes more and more complex, IDS is mainly against the low level and independent suspicious behavior. It would result in a large number of isolated alarms mixed with the wrong alarm, which would be difficult for administrators to analyze and take timely and effective response measures. These will undoubtedly constrain the development of IDS.For these problems, this paper begins with the points of defense, based on the research of the intrusion detection technology and its common model, analyzes the problem of the IDS. There are three main problems: higher false positive rate, independent warning information, and a large number of alarms, which makes the administrators hard to analyze and make real-time response to the alarm. There are three mainly reasons that results the false positives. First, the work principle of IDS, Misuse detection system records the characteristics of attacks into the files or databases, and matches the action with this existed knowledge. If the action meets the conditions, IDS reports alarm, not considering them in the specific environment. Obviously, it would generate the alarm that have this character but not attack; anomaly detection is to establish the behavior models of normal patterns, and set the corresponding threshold by experience. If the action is beyond the scopes, IDS reports alarm. So that when its scopes are smaller, the normal activities would be identified as attack. Secondly, the configuration of IDS, if not consider their environment, it of course generates a large number of error messages that makes administrator feel puzzle.Thirdly, the mode of IDS, intrusion detection system is to generate alarm for doubtful behavior, it means it does not consider whether the attack failed or successful, so the alarm does not equal the attack, is a kind of speculation, and possible error alarm. From the views of attack's process to analyze the meaning of alarm, multi-step attack will generate alarms in each phase, but in fact they represent one attack event in terms of the ultimate goal. As a typical multi-step attack - Distributed Denial of Service, its implementation usually involves five parts, IP scanner to find a valid host, Port scanning to detect existing security vulnerabilities machines, buffer overflow to obtain preliminary permission , install Trojan horse upgrade right and so on.Alarm correlation model consists of five modules, alarm information extraction module, alarm information integration, clustering, classification module, alarm information associated module, alert rules knowledge base module, as well as the alarm output processing model, and the last module includes two aspects, one is attacks scene building ,the other is response mechanism. Currently, the research method of alarm associated are divided into two categories, one is based on misuse detection and based on anomaly detection. In the early stage, the main method is misuse detection, it includes based on attribute similarity, based on known attack scenarios, based on attack's antecedents and consequences. With the hot of research, some new methods are proposed, such as based on data mining, based on statistic analysis. This paper in-depth researches the method based on GCT statistical timing analysis presented by Lee. This method is mainly used in financial econometrics, and its attempt to apply to the area of alert correlation gives a bright light for the mind. Although it does not depend on pre-defined knowledge base, before the alert correlation, it need experts to determine both the hyper-alert priority selected and associated results finally got, and it identifies the characteristics of the attack stage.This paper deeply presents the theory study of GCT, analyzes Lee's method, and against the characteristics of distributed denial of service attacks designs multi-step attack detection methods based on GCT. This method contains three parts: classify and aggregate the original alert, form the hyper alert, uses the associated sequence, does correlation detection.This approach aims at a typical multi-step attack - DDoS, through the research and analysis, extracts features of each steps of the attack, and classifies them according to the intention of attacking. It equivalents to make a rough division between target hyper-alert and cause hyper-alert, and in fact it reduces the times to detect the correlation relationship, makes detection more targeted. In the multi-step attack, in order to reach the final attack purpose, it needs the early preparation phase. There are certain sequences among these phases, and from one attack phase to another phase there are uncertainties means. The alarm in adjacent phase exist the close statistical relationship, so it would be effectively reduce the false causality to make more explicit to objects need to be correlated.This paper selects the part time interval instead of the whole. The alarm in the same class aimed at the same target happens more concentrated, while the alarm in different class is relative longer in time distance, that is to say, there is no alarm in many time segments. If select the entire time interval to test cause relationship, the number of time segments and the lag length must be large enough to include all the effective range. For the algorithms, it is necessary to make many times of calibration coefficients in order to obtain optimal solution, and calculate several times of the error square. If omit the zero range, only to calculate the effective range that contains alarm. It will reduce the complexity of algorithm. Finally, the method is proved to be effective through the experiment。... |
PDF Full Text Request