Research And Implementation Of Multi-Step Attack Scenario Mining Method Based On Alert Correlation

With the development of information technology in the 21st century,people are faced with more network security issues while enjoying the convenience of the Internet.The huge amounts of low-level alerts generated by the intrusion detection system cannot show the full view of the attack scenario,and the security management personnel will be drowned in the ocean of information.Therefore,correlating the alerts and discovering multi-step attack scenarios helps security managers improve efficiency and focus on the problem.The current methods for alert correlation and multi-step attack scenario mining mainly include:association based on attribute similarity,association based on predefined attack scenario,association based on causal relationship and association based on data mining.But most of the methods require expert knowledge and prior knowledge,and the attack patterns for unknowns are not well extracted.Besides,the existing priority assessment for alerts is only at the level of low-level alerts,and there is less research on the priority rating of attack graphs.In response to the above questions,the specific work carried out in this paper is as follows:1.Aiming at the problem that the attack scenario mining requires expert knowledge,a multi-step attack scenario mining algorithm based on attack graph features is proposed.This method does not require a large amount of expert knowledge and can discover new attack modes.By analyzing and studying the characteristics and intrinsic relationship of the alerts,after the clustering based on attribute similarity and forming the preliminary candidate attack graph set,the significance of the attack graph feature for the attack scene mining is studied.Four characteristics of alert interval rate,time span,alert income rate and priority difference are considered to clustering attack patterns,and further mining the attack scenario.2.For the analysis and evaluation of the results after association,a priority evaluation method based on local outlier factor(LOF)is proposed.The attack graph is prioritized and has practical significance for discovering the real abnormal attack scenario.3.Based on the proposed algorithm,design each module of the system and build the environment to achieve it.4.Experiment and evaluate the multi-step attack mining algorithm and attack graph priority evaluation algorithm through experiments,and compare and verify the validity.