Research On Reconstructing Attack Scenarios Based On Causal Correlation

With the fast development of Internet and the network society coming, network has deeply influenced the politics, economy, culture, military domain and people's life. People focus on information security and also pay more attention to improve the detection, response, recover ability of IDS besides protecting information. Intrusion detection is a new and fast developing field. Intrusion detection solves some problems,which couldn't be solved by tradition technology (visiting control, identity demonstrate etc.). Since the extreme complexity and wideness of network system structure, intrusion detection faces many trouble, mainly including the following:(1) System vulnerabilities and bugs used to attack are spread around different host, which may result in mis-detection by tradition IDSs that are designed to deal with simple hosts or small-scale network environments. (2) Worm attacks and DOS attacks indicate that intrusions aren't simple actions, but multiple actions with deliberately cooperation. (3) Collecting original data become difficult because of distributing data source. (4) Quicker transfer speed and much more network flux result in the appearance of bottle-neck when the original data is centralized to deal with, which leads to missing alarm. So many people focus on discovering relationship between data in attack. This paper first classify intrusion detection technology comprehensively and introduce their principles, deeply analyze and compare it with related technology principles, the concepts of indirect preparation and preparation constraint, which are based on casual correlation algorithm and hidden relationships between prerequisites and consequences of attacks are proposed. Secondly a reasoning method is introduced to recover and to integrate attack scenarios, for improving the quality of recovering results and reducing the false positive and false negative rate. Experiments demonstrate the effectiveness of our method to discover the missed attacks and to recover the attack scenarios, which improve the qualities of alerts correlation scenarios and the intrusion detection rate indirectly.