Research On The Key Technology Of Network Anomaly Detection Based On Log Analysis

Network attack process in recent years by the large-scale universal develop to the big target of specific, because these specific attack target are often carefully selected high-value targets, so the target generally involve more information about its users, commercial secrets and even state secrets, and these kinds of attacks once successed would cause more serious social impact. The common intrusion detection methods couldn't find the attack process well or even can't find any attacks when face this attatk, so it is necessary to research specific detection method for these kinds of attack process.Through comparison comparison and analysis of all kinds of intrusion detection methods, choose to use attack graph to reconstruct the attack scenarios for intrusion detection. In order to deal with the rate decline of scene reduction caused by IDS alert omission, raise to use different kinds of devices log int the network to discovered the attack process. First the different network devices are classified, analyzed the differences between the various network devices of different log storage location and format, etc. After the preprocessing of various equipment log, all kinds of equipment warning are storaged unified to facilitate the analysis of attack process.For the pretreatment equipment warning log, use two different methods for intrusion detection. The first method establish the multi-source attack graph directly according to the equipment warning, based on the suspected attack queue of the equipment to discover the process of the new attack. Experimental results show that this method could reconstruct the attack scenarios well, especially when lots of the IDS alerts are lost or false positive, the reduction rate of attack scenarios significantly higher than other similar detection methods. The second method use PrefixSpan algorithm for frequent pattern mining on heterogeneous logs of different devices, define the frequent pattern as common attack mode, the multi-source attack pattern graph is constructed based on the common mode of attack and the warning of different device, through the common attack mode to find new attack process. This can solve the problem that the attack graph constructed using the specific attack process could only find the known attack process in the first method.