Research And Design Of APT Attack Scenario Construction Method Based On Intrusion Kill Chain And Fuzzy Clustering

At present,there are many new and complex attacks in the network,of which APT attacks have become the focus of attention.In the detection of APT attacks based on security logs,the attack model is usually established in advance and the logs are associated with the model.However,it often depends on the integrity of the model.An incomplete model can cause some alarms to be missed and can not be matched.However,it is also difficult to build a comprehensive and complete APT attack model.In response to this problem,this paper studies how to mine the attack scenario model from the security log,and proposes an APT attack scenario generation method based on the intrusion kill chain and fuzzy clustering,which can mine the scenario from the security log.In this paper,we analyze the purpose of each phase of the intrusion kill chain,divide the attack events,and then increase the judgment of the staged events in the fuzzy clustering so that the correlation between the alarms within the cluster will be greater.Then,the attack sequences are screened according to the characteristics of APT attack alerts and transformed into the attack scene model by the probability transfer matrix,which provides the basis for the detection of APT.1.Propose a kind of APT attack scenario generation method based on kill chain and fuzzy clustering.This paper analyzes the characteristics of each attribute of IDS alarm log,and expounds the method to classify the attack events from the perspectives of attack consequences and IP addresses based on the intrusion kill chain model.Introduce the algorithm of fuzzy clustering using attack events,IP,timestamp attributes and the process of further screening attack sequences to generate attack scenarios.2.Design and implementation of APT attack scene generation method based on kill chain and fuzzy clustering are described in detail,and the realization process of each module is expounded,and the flow chart of each module is given.3.Collecting data for experiments,analyzing the experimental results,the experimental results show that the proposed method can mine the APT attack scenarios hidden in the IDS alarm log and separate the attacks of different attackers.Based on this,this paper analyzes the experimental results of the method,summarizes the existing problems and puts forward the direction of further optimization.