An Attack Plan Identify System Based On Multi-Alert Fusion

With the rapid development of Internet, network security issues were attracting increasing attention. Intrusion Detection System and response Decision-making System are hot areas of current network security research, and Attacks Plan Identify System which been seen as a bridge between the above two systems plays an important role in network defense framework. Attacks plan Identify System is a intelligent system which use Intrusion Detection Alarm evidence as its input, and then give out the conclusions that what the attacker want to do or what his plans are.According to our recent study, there are two main limitations in existed attack plan Identify system, which are:(1) Failed to consider IDS omissions, misstatements phenomenon, in another words, those systems did not take into account Alert evidence's credibility issue.(2)Failed to Consideration of multiple possible attack plans and ranking their possibilities.In view of the above limitations we propose an Attack Plan Identify System based on multi-alert fusion. This system introduced state-change alert as another kind of evidence, which been used with IDS alert to identify the attack plan. We found that there are causal relationship between system status changing and attacker's behaviors, and Bayesian network is a Belief Networks which base on causal relationship, so we can use it to conclude the reliability of each alert evidence. With the reliability value we can complement omitted alert and remove those false alarms, then the plan Identify system will use these high credible to identify the attack plan.The plan identify algorithm we design in this paper is back on step-match Comparison method. According to the need of Consideration of multiple possible attack plans and ranking their possibilities, we make a definition of our own matching rules and identify functions. This algorithm can not only give out multiple possible attack plans which can explain those current alert evidences, but also distribute an probability for each possible result. And what is more, the administrators can define the number of possible results by setting different match threshold. Therefore, the functionality and flexibility of the system have been improved, which makes this Attack Plan Identify system become more useful in a real network environment.