Research Of Detection And Tracking Technology Of Security Incident For Complicated Network Attacks

Currently, network technology developed rapidly, which also caused the network security problem deepened, and the problem of network attack loom large. But complicated network attacks are often hidden in a large number of common network attacks, causing it difficult to find complex multi-step attack for the existing real-time intrusion detection system(IDS). So it's necessary to do in-depth research on the logs form IDS, so that the inner links between the security events will be found and it would be possible to get the whole process and characteristics of complicated network attacks. However, the recognition technology for multi-step attack is still in the development stage, what is caused by variety reasons such as alarms are in great amount of data and attacks are hidden in them, most of the data are redundant, the results of the analysis are not simple enough etc. Aiming at these problems, we present an approach of detection and tracking technology of security incident for complicated network attacks, which mainly include an approach of aggregating redundancy for network security events and an approach of detection and tracking technology of security incident based on causal relationship.Firstly, there isn't an effective data preprocessing technology in the traditional alarm log analysis method. In order to solve the problem of the great amount of alert data and lots of data are interference data, we present an approach of the aggregating redundancy for network security events based on IP correlation. After being aggregated according to the IP correlation,the alerts will be saved in several sets. Every set is seen as an attack scenarios and interfering data will be deleted. And thus we could mine the association rules in every attack scenarios.More association rules will be found because irrelevant data have been deleted.Secondly, aiming at the problem of difficulty and accuracy in the detection of complicated network attacks through security incidents, we proposes a method of security event detection and tracking based on causal relationship, which achieve the purpose of detection and tracking attacks by analyzing the causal relationship between the attack states.Firstly, in order to solve the problem of high probability of self-circulation and some of the path is not reliable, we present an approach of mining the causal relationship based on AR-IPC and the Markov chain. The Markov chain is optimized by introducing the association rules in the process of causal relation mining, so that the probability of the attack path more believable. Secondly, the causal relation could be used as a priori knowledge to detect and track network attack.At last, the approaches are tested to prove the approach of aggregating redundancy for network security events based on the IP correlation and the method of security event detection and tracking based on causal relationship are effective.