Research On Mining Multi-step Attack Mode With Distributed Heterogeneous Data

At present,the network attack has gradually developed from a sin gle and simple step to a complex and multi-step one.Therefore,Rese archers have conducted much studies on this multi-step attack behav ior.Using IDS to obtain the network alarm data and tring to find th e correlation between the data is the most common method research ers use.However,the false positives and omission of the IDS alarms will break the complete of the analysis multi-step attack.It is difficu It to get accurate attack clusters based on the simple similarity,so u sing attack graph is a good way but lead to another problem that i t is difficult to guarantee a full attack gallery.Aiming at these two problems,this people studies how to use sen sitive flows to assist IDS alarms,how to use prior knowledge as litt le as possible.This people proposes a heuristic multi-step attack mo del generation and attack prediction based on the Kill-Chain model.The attack cluster can be obtained from dual data sources and the model graph of this multi-step attack can be obtained by graph mat ching heuristically,and the predicted value of the next attack can b e obtained based on the matching value.This paper analyzes the p urpose of each stage of the killing chain,and divides the multi-step attack into stages based on the purpose,which is used to filter an d filter the source data.In addition,according to the purpose of m ulti-step attack,the kill chain model is used to define the initial m ulti-step attack model as the initial graph of graph matching.The specific work contents of this paper are as follows:1.Aiming at the nature of false alarm and omission of alarm log,this paper proposes a fusion algorithm of sensitive information concept,sensitive information traffic and alarm log.This method USES sensitive information flow and warning log multi-source data to carry out correlation analysis and attack cluster screening,which alleviates the problem of incomplete attack process caused by the defect of warning log.2.Aiming at the problem that the attack graph model needs complete prior knowledge,a heuristic multi-step attack model generation and attack prediction method based on the kill chain model is proposed.This paper analyzes the purpose of each stage of the multi-step attack and the attributes of the source data,expounds how to divide the source data set in stages by the kill chain model,and how to filter and filter the attack cluster according to the kill chain model.This paper introduces in detail how to use the generated attack cluster model to carry out graph matching with the initially-defined multi-step attack model and how to calculate the weight value and quality matching value of graph matching.The problem that the graph matching method needs a complete attack graph library is solved.The experiment shows that the method in this paper can get a better multi-step attack model and prediction results for both known and unknown attacks.3.The design and reason of fusion algorithm of sensitive information flow and alarm log are explained,the heuristic multi-step attack model generation and attack prediction method based on kill chain model are designed in detail,and the example and pseudo-code implementation of the algorithm are given,and the realization of each module of the whole process is explained.4.Collected data for experiments and analyzed the experimental results.According to the results of experimental detection accuracy and detection integrity,the fusion algorithm of sensitive information flow and warning log proposed in this paper can obtain attack clusters that are more complete and more in line with the attack process of the kill chain.According to the experimental results of multi-step attack model and actual comparison show that the multi-step attacks in detection of unknown attacks and attacks on known to be able to get a matching degrees higher multi-step attack model,according to the analysis of the prediction error,the results show that the presented method can better fitting multi-step attack behavior,effect is relative to the LCS algorithm has certain advantages,can be close to or matching JEAN prediction error of the system,and but because JEAN system is based on the known attack attack graph matching,this paper can carry on the multi-step attack model diagram for unknown attack match,Therefore,it has certain advantages in practical application.Based on the above,the experimental results of the proposed method and the unsolved or existing problems are analyzed and summarized,and the further optimization direction is analyzed.