A Model For Building Attack Scenarios Based On Correlation Mechanism Of Intrusion Detection And Vulnerability Scanning

Vulnerability scanning and intrusion detection are the mainstream technology in the field of cyber security. Vulnerability scanning can prevent the malicious attacks and protect the cyber security in advance. On the other hand, intrusion detection can monitor the real-time network data and detect the suspicious attacks.However, vulnerability scanner and intrusion detection system both suffer from basic flaws, i.e. false positives and false negatives. Regarding vulnerability scanning, first, it usually scans the network and host at regular time, not real time. So the false negatives may exist; second, when scanning a large scale of network, the ratio of false positives is high. Regarding intrusion detection, false positives and false negatives resulting from the huge amount of intrusion alarms, as well as the repeated alarms, overwhelm the administrators. Moreover, vulnerability scanning and intrusion detection also suffer from another common flaw: they fail to analyze and assess the vulnerabilities and intrusion alerts.The thesis proposed a model for building attack scenarios based on correlation mechanism of intrusion detection and vulnerability scanning. One important characteristic of our model is that we propose a correlation mechanism to avoid the false positives and false negatives by correlating the vulnerability and intrusion alerts. The other important characteristic of our model is building attack scenarios from two aspects: vulnerability analysis generating attack graphs and alerts correlation building attack scenarios. The attack scenarios can depict the multistep attacks. In particular, we use rules described by prolog languages to generate attack graphs. On the other hand, intrusion alerts are processed with standard formatting and aggregation which can also helps us reduce the repeated alerts in intrusion alarms. And then, the attack scenarios can be generated through Colored Petri nets. Finally, we conduct an experiment to show how we build attack scenarios by using Colored Petri nets.