| With the extensive and deep use of computer networks, computer and network security has been a key problem. Security situation analysis of large-scale network is an important method to understand the security status of the whole network, in which the analysis of large-scale alert logs is an indispensable step. The rapid growth of alerts log's scale and the endless emerge of new attack demands that the alert can't be limited to raw and trivial attack, and that it should generate high-level view to reflect the whole network security status and the real attack intention. Traditional methods of alert correlation are confined to small-scale alert log with already known attack, thus they can't discover the new knowledge behind large-scale alert log effectively. Mining alert association rules and attack sequential patterns in alert logs is a better solution; it can find the alert characteristic and complicated attack pattern automatically. Based on this background, we focus on mining alert association rules and attack sequential patterns. The main research topics include the following aspects:The first part of this paper introduces the purpose, significance and present research situation of alert correlation. It also gives a brief presentation on the main methods in alert correlation, pointed out the significance of mining alert association rules and attack sequential patterns in large-scale alert logs. The research content of this paper is further described.After discussion of classical concept and algorithms in association rules mining and sequential rules mining, we focus on the specific mining task in alert logs. During alert association rules mining, if the log scale is large and the minimal support is set relatively low, the traditional algorithms are very slow, and generate too many useless association rules inevitably. So we raise several methods to select the useful association rules. We discuss how to cut down the number of useless association rules by formulating an alert association rules template, how to evaluate the association rules by the interest instead of the framework of support and confidence. And then, based on the template and interest, we present MFP-template algorithm. Experiment results show that the MFP-template algorithm not only speeds up the mining process, reduces the cost of system resources, but also decreases the number of useless rules and generates more interesting knowledge.At last, in order to discover the real attack intention, we use the PrefixSpan algorithm to mine the sequential pattern in alert logs; and then, with the definition of capability of corresponding alert, we check the capability of alerts in sequential pattern to see if they are increasing; thus, we select out the attack sequential pattern which is more accurate. Experiment shows that our method is able to discover interest and valuable attack sequential patterns, to help users understand the complicated attack scenario. |
PDF Full Text Request