| Nowadays, one very complicated problem bothering network analysts too much is the redundant data generated by IDS. The objective of our system SATA (Security Alert & Threat Analysis) is trying to solve this problem. Several novel methods using data mining technologies to reconstruct attack scenarios were proposed to predict the next stage of attacks according to the recognition the attackers'high level strategies. The main idea of this paper is to propose a novel idea of mining"complicated"attack scenarios based on multi-agent systems without the limitation of necessity of clear attack specifications and precise rule definitions. We propose SAMP, a reformative prefreespan algorithm, to mine frequent attack behavior sequences and construct attack scenarios. We also propose CAST which can construct the attack scenario tree for finding relationship between new attacks and historical attack scenarios effectively. The definition of cor-correlativity and pre-correlativity among three elements in frequent attack sequences are described for the attack behaviors correlation and potential attack intention identification. We perform a series of experiments to validate our method on practical attack network environments of CERNET. The results of experiments show that our approach is valid in multi-agent attack scenario construction and correlation analysis. |
PDF Full Text Request