| Global security threats, as the fast development of network technology, are growing day after day. Damages caused by multi-stage attacks have forced institutions to start collaborating with each other to resist the attacks. But the fact that there is always some sensitive information contained in the safety alert data, some information the owners are not willing to share or publish, leads to the requirement of private information being protected. However, preserving the privacy of alert data imposes negative impacts on the correlation analysis of multi-stage attacks. It is this contradiction gives significance to the study of how to balance the privacy and accessibility of alert data and how to efficiently analyze multi-stage attacks while protecting private information.This thesis compared in depth the pros and cons of traditional privacy protection and multi-stage attack correlation technology. Based on this comparison, we studied the implementation of the two technologies respectively and proposed architecture for conducting multi-stage attack correlation with embedded privacy preservation power.This thesis began with surveying privacy preservation technics for ordinary data. For those technics considered to be classical, we compared their advantages and disadvantages. A great attention was then paid to the k-anonymous model and its implementation. The method we proposed for privacy preservation, which is also based on k-anonymity, designed an appropriate alert sensitive attribute generalization hierarchy using discrete attribute entropy or continuous attribute difference, and then enhanced the Incognito algorithm to get the privacy information protected without losing performance of the original algorithm.A couple of classical multi-stage attack correlation methods has also been summarized, among which the one based on sequential pattern mining was discussed in detail. Considering the drawbacks of existing sequential pattern mining algorithms, we suggested adding two filter stages to ESPM: a one-time filter and a dynamic filter. The introduced two extra stages greatly reduced the size of the database to be mined. At the same time, we modified the prune phase for the candidate large attack sequence set to notably improve the performance of mining. In order to reduce the false positive ratio of attack scenario detection, we proposed ESPM-D algorithm which divided the alert database, based on destination IP, to smaller ones and correlated multi-stage attacks within each database via ESPM. Furthermore, we introduced the architecture for multi-stage attack correlation with privacy preservation. The architecture was implemented via ESPM-P and could effectively discover the real attack scenario in the privacy-preserved alert data.Finally, we tested ESPM, ESPM-D and ESPM-P on the benchmark dataset DARPA 2000. The result indicated the validity of the architecture and algorithm proposed in our work. |
PDF Full Text Request