The Study Of IDS Alert Correlation And Prediction Based On Attack Graph

Attack graph technology is a model-based method for evaluating network vulnerabilities. It can reveal the relationship of vulnerabilities in target network and the relationship between vulnerabilities and network security configuration. Intrusion detection system (IDS) is a passive network security protection equipment. According to the security policy, it keeps monitoring the network and operation condition of system to discover various kinds of attack attempts or attack action as more as possible. Both technologies have weakness when face with the increasingly complex network environment: attack graph can only get static network vulnerability relationship; IDS makes an inaccuracy and leakage, which also can't identify complex mode attack action and can't predict the next attack.In order to resolve above problems, this thesis proposes alert correlation-prediction graph. The main idea of alert correlation-prediction graph is as follows: While using attribute attack graph to show the relationship of target network vulnerabilities, the alert generated by IDS is mapped to the atomic attack node in attribute attack graph, displaying the attacker's aggressive action dynamically and predicting attacker's next attack action according to the vulnerability knowledge of target network. Alert correlation-prediction graph can dynamically reveal the relationship between alert information detected by the intrusion detection system and the relationship between alert information and network vulnerability, which provids initial data for analyzing network vulnerability.Based on the above work, the main achievements of the thesis as follows:Firstly, this thesis proposes the concept of alert correlation-prediction graph and designs the alert correlation-prediction algorithm. Alert correlation-prediction graph introduces correlative IDS alert information on attribute attack graphs. The algorithm makes correlations of each detected alert now and before, which can evaluate the target network security situation more effectively. Besides, based on the appropriate node corresponding to current alert, the algorithm can predict the atomic attack node which may be attacked in the next step according to the vulnerability knowledge of target network, which improves the capability of the target network in resisting risk.Secondly, founded on the above work, this thesis designs and implements the alert correlation-predition archetypal system which bases on attack graph. The system main carve up three layers base function modules: import-pretreatment layer, analysis layer and the vision layer. The main work we do is primary designs the XML storage configuration and data configuration of attribute attack graph and alert correlation-prediction graph, solves the problem of how to map the IDS alert to attribute attack graph, carry out the alert correlation-predition arithmetic and realizes the vision technology of alert correlation-prediction graph.Lastly, we do experiments to verify the above work. Through constructing a series of alerts to test the function of archetypal system, the result shows that the archetypal system can relate alerts exactly and predict the atomic attack node be attacked in the next step. Through the experiments, we test the capability of alert correlation-prediction graph in analysis the network security, which proves that alert correlation-prediction graph can reveal the network security condition intuitively and dynamically, at the same time, it can reduce the influence brought by IDS leakage.