Network Multistage Attack Model And Detection Approach Based On Extended Directed Graph

The alert correlation complies with the principles that the relationship between alerts indicates in a sense the relationship between attack actions.The correlation can be discovered by comprehensive analysis: the number of alerts can be reduced by alert aggregation, false positive can be eliminated by cross correlation with background knowledge, and logical relationship between various alert types can be disclosed by multistage attack correlation.Most approaches presented focuses on discovering correlation relationship rather than predicting attacks. In fact, it is more significant to predict the coming next step attack action than post analysis because the former can help take appropriate actions to prevent network for further compromise.To address this problem, alert correlation and multistage attack prediction based on extended directed graph is proposed,which can represent attack features and abstract patterns of the multistage attacks.Whenever a certain attack sequence matched with a part of the graph partly appears, the corresponding pattern can be recognized and the successive steps can be predicted.The extraction of attack features and abstract action patterns of multistage attack results from the analysis of historical data. The regularity between alert attributes indicates the patterns of attack actions.An alert is comprised of several attributes with different data types.The algorithm for discovery of frequent episodes in event sequences needed to be adapted for alert sequence analysis.During the mining process, more attentions are pay to the relationship between alert type attribute and other attributes.The patterns in the results represent the transient relation between various attack types.The attribute constraints represent the correlation relations. This approach can exact attack action patterns and constraints effectively, especially for automatic attack.Extended directed graph is presented to model the relations of attack actions, in which the nodes represent attack type and directed edge represent the transient relation between attack types.The newly alerts is matched with the graph.Firstly, the sets of possible alerts that satisfy constraints are collected according to the directed edges.Secondly, the correlation relationship between alert pair is judged.Thirdly,the completeness and matching degree is computed.Finally, the next attack action is predicted according to the results of the two indictors.The approaches are evaluated with DARPA 2000 data sets and live data collected from our honey net and local test network. Experiments show that the approach can effectively construct attack scenarios and can accordingly predict the attack action at least one steps ahead at an average level.The detection rate reaches to 93%.