Research On Multi-Stage Attack Recognition Method Based On AI Planning

With the popularity of the Internet, the importance of the network is increasing in thebusiness and governments, and the Internet has greatly facilitated the people’s communicationand the sharing of information and resources. Our government also gradually pay attention tothe security of network information, so the protection of network security has become animportant research direction. Intrusion detection system as a network protection system, it hasthe ability to detect network attacks. But the means and methods of network attackers areincreasingly diversified, simply using the Firewall and IDS to provide the network securitycan no longer meet the need, so on the basis of the alert provided by IDS, the methods of alertcorrelation are proposed. These methods from the a large number of alert data gets the realtargets of security incidents and intruders. But these methods still have the followingproblems:(1) There is no format standard of alert data. Network security products have their ownalert data format, but these format compatible with each other is difficult. For the largenetworks, to respectively deal with a variety of formats alerts will no doubt occupy a lot oftime, and the workload of network maintenance will be more.(2) The relationships of alert data are not presented. Detection alert are most using rulesmatching. Because the rules are relatively simple and relatively independent, as a result thatthe relationships between alerts generated based on these detection rules are fragmented, userscan not from the perspective of entire attack events to analyze these alerts, which may leaveshidden dangers in the safety of the networks.(3) The ability of detecting multi-stage attack is weak. Because of the capabilities ofnetwork security products, to complete the invasion with single-step attacks is more difficult.multi-stage attacks enrich the ability of network attacker, while the corresponding Multi-Stageattacks detection methods are relatively weak. It’s needed to study responsing measuresagainst the multi-stage attack.AI planning has several decades of development history, and achieved good results.Especially the past10years, AI planning has gained rapid development. AI planning isusually used to solve the field problems. Different areas require different knowledge bases asa guide, which is planning domain in AI planning. AI planning systems make use of theknowledge base rules to calculate and reason, there will be a sequence of operations to makethe state changed. While researching I found that there are a lot of similarities between AIplanning and multi-stage attack recognition on sequence, causation, and the stages. In this paper I propose the method to applyAI planning in the multi-stage attack recognition.The main works in this paper are as follows:(1) For the diversity lies in a variety of alert data formats in intrusion detection, based onthe existing alert data formats, a new intermediate alert data format named AFAP is proposed,which is benefited for AI planning, so as to facilitate post-processing of alert data.(2)With the deep study on the model and features of the multi-stage attack, as well as onthe field of AI planning, We using the existing the multi-stage recognition model to combinewith AI planning, a new multi-stage attack recognition model MSAM-SA is presented, whichmake use of the characteristics ofAI planning.(3) According to the proposed multi-stage attack recognition model in this paper, Ipropose a new method that is multi-stage attack recognition based on the AI planning MARP.In the paper the details of this method are shows, as well as each step how to do. At lastexperimental evaluation of the method is done with the standard test datasets in intrusiondetection.The main contributions and innovations of this paper are as follows:(1) Through research, I found the similarities between problems solving in AI planningand multi-stage attack recognition. AI planning is introduced into the field of intrusiondetection as the inference engine, thus to provide a new research means for the field ofintrusion detection.(2) According to the proposed method multi-stage attack recognition based on AIplanning-MARP, the implementations of the various parts of this model are given and theeffectiveness of this model is verified. These can be the foundation of such studies in thefuture, and the method is a useful exploration in intrusion detection.This article is preliminary study to introduce the AI planning in the field of intrusiondetection, in many details of this method, there are many places to be more considerable.From the following two aspects to do the future work:(1)Due to the increase of network bandwidth and the size of large-scale network, themodel MARP proposed has the limitations. The future studies can design the conversionmodel of the alerts for more suitable method to process large amount of data conversion.(2) The planning method used in this paper–graph planning is a basic one, there aremany better planning methods. For the future work, understanding and distinguishing theplanning methods, making use of more suitable AI planning techniques to do the multi-stageattack recognition, so that to improve the efficiency and accuracy of the method.