| The multi-step attack is one of the primary forms of the current intrusion. How to detect and forecast multi-step attacks is a problem in the field of network secuitiy. Early warning technology lays the foundation for the realization of active defense, so it is the hotspot in the research of network security.The main works in this paper are listed as following:1. Multi-step attack mode is studied deeply, multi-step attack intrusion is analyzed and is charactered by attack intention, and then an attack intention based multi-step attack modeling method is presented.2. Disadvantages of the exiting early warning technology are analyed, and two kind of early warning system architectures are studied emphatically.3. Basing on the research of hidden Markov model, multi-step attack mode, attack intention, and hidden Markov model are combined. An early warning technology based on hidden Markov model is presented, its early warning model has two layers: (a) observations layer which is also called alert layer consists of alert messages produced by IDS. (b) hidden layer which is also called attack intention layer consists of attack intentions of the multi-step attack. The HMM based early warning technology uses the Forward algorithm to compute the probability of alerts sequence that is produced by the hidden Markov model and recognizes the attack intentions by the improved Viterbi algorithm, finally combines the two algorithms to forecast next possible attack.4. A distributed prototype system is designed. Taking NetBean5.5 as the IDE of developing prototype system, some core component, such as multi-step attack judgment module, attack intention recognition module and attack forecast module are implemented. At last, the validity of the early warning technology is proved by concrete experimental results. |
PDF Full Text Request