Research On Network Alert Correlation And Countermeasure Selection Based On Attack Graph

With the continuous development of network technology,network attacks have become more intelligent and complex.Endless network attacks has caused great threat and destruction for network security.How to protect the security of computer network has been praised by people attention.Intrusion detection system is a kind of effective network security defense technology,it can find intrusion behavior in the network,and to respond to invasion behavior in the form of alarm,and effectively protect the securit y of the network in real time.However,many shortcomings exist in the intrusion detection system in practical application,such as huge amounts of alerts,discrete alert information and so on,so that network administrator is difficult to find attack sources and attack purposes,unable to take timely measures.In order to solve the above problem,this paper excavates alert correlation using alert correlation technology,discoveries the attack scenarios,builds the alert correlation graph,analyze the attack scenarios and select countermeasures for attack scenarios.For alert correlation technology and countermeasure selection,the main work is as follows:(1)Alert correlation based on attack graph and alert similarity analysis was proposed First of all,according to the data model of intrusion detection message exchange format,the alert data format of intrusion detection system is unified.Then,calculation method of the alert attribute similarity is studied,such as IP address similarity calculation.Then,draw lessons from the thought of principal component analysis,puts forward a kind of attribute weights are automatically assigned alert similarity calculation method.Finally,combining with attack graph and alert similarity,the related alerts are associated into a directed graph,so replaying attack scenarios that the attacker using the relationship between the network vulnerability against target network is achieved.(2)In view of the discovered attack scenario,countermeasure selection method based on return on investment were proposed.First of all,the concept of node inherent probability and cumulative probability are introduced.cumulative probability is as risk assessment measurement index.Then,according to common vulnerability scoring system,inherent probability calculation method is given,and nodes can be divided into two types: series node and parallel node.Respectively,for the two types of nodes of the cumulative probability calculation are expounded.Finally,it introduces the concept of return on investment,and it translates the problem that looking for cost for high-risk node is small,negative impact of small,high efficiency of network vulnerability repair measures into getting a high return on investment problem,so that the solving process of the problem is simplified.By using programming language,this paper realizes the above research and carries on the simulation experiment in the DARPA 2000 data set.The experimental results show that the proposed method can not only correlate the alerts of losing the premise alerts and not finding the corresponding exploit in the attack graph,but also be able to fully repair the attack graph in the absence of less than three discontinuous atomic attack node.the countermeasures selection algorithm is able to select costs,negative impact,and benefit comprehensive optimal measures and measures to implement the location for attack scenario.