| With the development of Internet, network intrusion techniques are also keeping improving, which made Internet face greater threats. Multi-step attack is one of the primary forms of the current attack. Now, many intrusion detection systems only detect the attack, but cannot forecast the attack. In order to make intrusion detection system become reality from passive detect to active defense, this paper presents an approach based on attack utility to recognize the attacker's finally intention and forecast the next possible attack.Intrusion detection systems,which often generate a large number of repeat and false alarms, make them that attack prediction costs a lot of system time and lows the forecast accuracy. Thereby, the paper clusters the same alarms or similar ones according to classified standard based on attack intent. In addition, this paper eliminates the immune alarms, which are real intrusion and has no harm to the destination system in accordance with the configuration information of destination system.This paper describes a multi-attack by the attack intent, and establishes the multi-attack the logic diagram based on the attack intention. During the procedure of the attack forecast, attack utility is used to represent the attackers benefit for each attack step and is restricted by attack itself and destination system. The attack utility is an important reference for the multi-step attack forecast.Finally, developed the experimental system of multi-attack forecast with VB6.0 and MYSQL, DARPA2000 attack scenes testing data sets LLDOS1.0 (inside) and MS SQL server SA intrusion alarm data sets in LAN environment are used in the experimental system as the raw data. The experimental results verified the effectiveness of the attack prediction algorithm based on the attack utility. |
PDF Full Text Request