Analysis And Research Of The Attack Actions In Honeynet

Security problem has become a major threat with the growing complexity and scale of computer network. Simple and straightforward network attacks have been replaced by complex and changeful ones, such as combined attack, automatic script attack and collaborated attack. Traditional security measure loses its power in front of new threats and new theory and method is in urgent need to strike back.A honeynet is a network set up with intentional vulnerabilities. Its purpose is to attract attacks, so that an attacker’s activities and methods can be studied and that information used to increase network security. The key point and difficulty of honeynet technology is to analyze the gathered data and find the method, tool and motivation of an attack. Large quantity of independent primitive alerts can be gathered in a short time by the honeynet, mixed with false positives, false negatives and redundancies. A multiple-stage attack usually contains many independent primitive alerts scattered among the vast alert message. Machine learning is widely used in finding the correlation of independent primitive alerts and restoring the full attack scenario. But the machine learning method requires a large amount of historic data and a long training period. Also, machine learning method usually doesn’t take the specific network environment into consideration, which leads to many alerts that don’t fit into the targeted network.Attack graph is a graph indicating the correlation of known vulnerabilities, which can enumerate all the possible attack paths of a system in a straightforward manner. Attack graph can be a good complement to honeynet in order to describe a multiple-stage attack. In this thesis, we apply attack graph to honeynet alert correlation analysis and propose a novel analysis method called attack event graph, based on which we designed an analysis model of honeynet attack. This model divides the analysis process into two stages:attack event graph construction and attack pattern mining. In the construction stage, we not only relate the alerts to vulnerabilities but also describe the relation into greater details which lead to a precise attack scenario division. In the mining stage, we retrieve representative attack patterns and add them to the knowledge base.After systematic analysis and research, we designed and implemented a demo of honeynet attack analysis system with which we carried on a lot of experiments. The experiments show that our method can restore attacks and construct attack scenarios efficiently.