Research On Attack Detection And Intent Recognition Based On Multi-Sensor Data Fusion

To ensure network security, different sensors with different functions are deployed in network. But if working individually, each sensor will produce large redundant security data and alerts, with high false positive rate and high false negative rate. In this context, multi-sensor data fusion technology has been more and more widely applied in network security realm. Nowadays, data fusion technology cannot make full use of advantages because the datum for fusing are still monotone without utilizing the datum's redundancy and complementary. In this thesis, multi-sensor data fusion technology is applied in network attack detection and intent recognition and lastly a prototype system is implemented. The main contributions of this paper are listed as follows.1. A network security data fusion technology classification method based on both temporal and spatial analysis is proposed. It takes application features of network security realm into consideration, and categorizes multi-sensor data fusion technology applied in network security into two classes: time based and space based. Then, analysis of both advantages and disadvantages of the two classes, as well as discussions about development trend of multi-sensor data fusion technology applied in network security are given.2. A simple attack detection method based on multi-sensor data fusion is developed. Each different sensor firstly generates hype-alert from logic correlated alerts, then each hype-alert event is used as evidence and fused through extended D-S Evidence Theory, thus attack succeed probabilities of corresponding attacks are acquired by combining the fusion result with vulnerabilities and service information they rely on. Experimental results show that the proposed method can effectively reduce the number of alerts, and improve the accuracy rate of detection.3. A composite attack detection and intent recognition method based on extended D-S evidence theory is proposed. It firstly gives the definition of attack order between different simple attacks in a composite attack, and a representation method of attack intent scenario based on attack order. Then hype-alert events with different reliabilities from each sensor are fused through extended D-S Evidence Theory to achieve attack detection and intent recognition. Experimental results show that the proposed method can effectively detect composite attacks and recognize the intent of attackers.4. A prototype system of attack detection and intent recognition based on multi-sensor data fusion is designed and implemented. The system is designed in modular to achieve favorable scalability. It adapts distributed structure to deploy heterogeneous sensors in network and hierarchical logic design to fuse hype-alerts which is independently produced by each sensor and then transmitted to fusion center. The system interface is implemented using Eclipse RCP(Rich Client Platform) to construct different perspectives, and lay out the network topology using Eclipse Zest Visualization Toolkit to obtain better visual effect and interoperability.