| In recent years, with the development of computer network technology, the problem of network security is getting worse. As one of the important points of information security safeguard system, more and more intrusion detection systems have been used to protect networks. However, present IDSs still have many shortcomings. Firstly, security administrators have been overwhelmed by thousands of alerts generated by IDSs everyday. But most of these alerts are low-level ones. Secondly, different IDSs couldn't cooperate with each other well. Security administrators can only analyze alerts from different IDSs separately and have difficulty in learning the safe status of the whole network. Thirdly, It is difficult to detect multi-step attacks and forecast the next attack that the attacker will launch. In order to solve the above problems, many technologies on alert correlation have been put forward to correlate the alerts automatically, which have logical relations between them. And especially the prerequisite-based correlated-analysis method has become one of hot research topics in this field.In order to use the prerequisite-based correlated-analysis method in IDSs efficiently, this paper has introduced two concepts: description logics and ability. Abilities are used to describe the attacker's intention in details and they are the basic units to correlate different attacks. But in order to describe the attacker's intention completely, a lot of abilities have to be defined and the relations between them are intricate. So description logics with powerful ability of expression and reasoning will be used to define and organize different abilities. By this way, we can display the intrinsic relations between them, and then we can define the correlation relations and substitution relations between different attacks.Therefore, Our method is based on description logics, which is used to define the attacks. And in our method, attack scenarios are used as carriers to match alerts and ability sets are used as bridges to construct attack scenarios. By this way, the inherent logic relations between different alerts can be displayed clearly and then according to this we can progress alert correlation. Based on this thought, we propose an IDS alert correlation model based on description logics. The core of our model is the attack knowledge base. By simple inquiry/reply way, we can correlate and merge the alerts and forecast the next attack that will possibly occur. The key point of the model is the establishment of the attack knowledge base, which has been described and explained in details in this paper. And the simulation experiment also indicates that the model can not only detect multi-step attacks but also forecast the next attack. |
PDF Full Text Request