| As is well known, network attackers often use various means or multiple steps to achieve their goals to launch an attack. Traditional intrusion detection system (IDS) and other safety equipments often generate a large number of isolated low-level alarm events, among which mutual relations that could not acquire by isolated alerts exist, but the relations are not gotten only by these isolated alarms. And there are lots of reduplicate or false alarms. In response to these questions, this thesis makes use of fuzzy cluster, causal correlation and other techniques to analyze large amount of safety equipments alarm information, mine the intrinsic relations between the alarms, and construct complete attack scenarios. Such an attack scenario can describe the relations between different alarms, helping network security administrators more clearly and quickly to discover the nature relations between he network attacks and the attackers' ultimate purposes.This thesis first introduces the causes and necessity of establishing attack scenarios, and analyzes the advantages and disadvantages of the current major constructing attack scenarios methods, then proposes a new way to construct the attack scenarios. This method mainly includes five modules: alarm fusion, alarm clustering, clustering parameter optimization, alarm correlation, and attack scenarios reconstructing. Alarm fusion module is used to deal with redundancy on the original alarm set, and can delete a number of reduplicate alarms; And alarm clustering module uses the fuzzy clustering algorithm based on the similarity value of alarms, the clustering parameters of which is adaptively optimized by the improved quantum particle swarm optimization algorithm. This clustering algorithm mainly classifies the alarm set that is dealt with for redundancy. These classifications gained can not only provide the necessary scenario reference for follow-up modules, but also can detect and delete a lot of truly isolated or wrong alarms to reduce unnecessary correlation; Alert correlation uses the causal correlation method based on the predicate, which can mine the inherent logic relations from substantial low-level alarms, and create the high-level attack scenario graphs; for the problem of attack scenario graphs being fractured due to IDS leaking or incomplete attack knowledge database, this thesis uses the assumptions and reasoning approach based on equality constraint to reconstruct the attack scenarios graphs. Finally, this thesis uses the experiments to analyze and prove the proposed method of constructing attack scenarios advantages. |
PDF Full Text Request