| Intrusion Detection System (IDS) is one of the fast-developing network security devices in recent years. It strengthens Administrators' security management abilities of monitoring, auditing, identifying attacks and corresponding response. However, IDS has some limitations which are caused by its working principle, its working layer and the performance issues. It encounters some problems in production environment: 1) The alerts generated by IDS are very basic and isolated, without showing the potential relationships among alerts. 2) It is extremely difficult to manually manage seas of alerts. 3) The techniques of IDS can be roughly classified as anomaly detection and misuse detection. Both of them could easily miss alerts or generate false alerts.Due to the above issues, researchers have begun to look into the relationships among attack alerts in order to enhance their accuracy and availability. The attack scenarios can be reconstructed by means of correlating intrusion alerts. Casual correlation is a typical correlation method which has good analysis result. It can reconstruct alerts to form attack scenario graphs by correlating alerts on the basis of prerequisites and consequences of intrusions. However, this method highly depends on comprehensive expert knowledge base and can be badly impacted with missing alerts and false alerts. Besides, it is very time-consuming. Traditional probabilistic correlation is another typical correlation method which is easy to use and doesn't depend on knowledge base. It has the possibility to find some new attacks. However, it's not easy to define probability assessment functions. It could not find the true internal link of alerts and has very limited expansibility.Generally, attackers always adapt multiple methods and steps to perform a successful attack. Based on the features of multistep attacks, this paper proposes a hybrid model based on causal correlation and probabilistic correlation to reconstruct attack scenarios. This model includes three core parts: alert fusion, classified casual correlation and probabilistic correlation. As a module prior to alert correlation, alert fusion can reduce the redundancy of original alerts generated by IDS. Classified casual correlation firstly classifies alerts based on attack targets and then conducts casual correlation within every class. In this way, the performance of causal correlation can be improved while unreliable alters can be removed at the same time. After classified casual correlation, probabilistic correlation will be executed among these classes. It takes advantage of the strong points of probabilistic correlation to make up for the disadvantage of causal correlation.According to the experimental result and related analysis, this hybrid scenarios reconstructing model can reduce the dependence on knowledge base of casual correlation. It can solve the problem of attack scenarios being broken caused by incomplete knowledge base and missing alerts. It also has lower algorithm complexity. Based on attack targets, this model can produce the attack scenarios and show the purposes in a more layered and structured way. Thus, it can help administrators to find the attack strategy and ultimate purposes in order better to response to the particular security events in time. |
PDF Full Text Request