Research On Construction Algorithm Of Attack Scenario Based On Correlation Analysis

Internet has been developing rapidly in recent years,which contributes a lot to the convenience of our life.However,due to the disadvantages of Internet itself such as its openness or imperfection of protocols and software,devices in the Internet have to face more and more potential risks so that network security problems increase year by year.Generally,within the network there will be security devices deployed in order to detect or prevent behavior that may endanger the network.Among all those devices,IDS is one of the most important to the administrator.Since alerts generated by IDS are low-level and isolated,not to mention their uncountable scale,direct analysis on these alerts is inefficient.To deal with alerts by correlation analysis and then reconstruct attack scenarios can increase the efficiency of alerts analysis and give a comprehensive and precise demonstration to the administrator.Nowadays research on reconstruction of attack scenarios still faces many problems.On one hand,some algorithms depend greatly on knowledge base,while whether the knowledge base is precise enough and updating in time or not still always bothers administrators.On the other hand,most algorithms aim at the display of attacking steps but lack the correlation and analysis of alerts on the overall perspective of network.In order to solve these problems,this paper has done work as follows:(1)Propose an alert aggregation algorithm based on rough set theory.The algorithm applies rough set theory to alert aggregation.According to information extracted from alerts,weight of each features will be computed and so does the similarity of two alerts then.Meanwhile,two assumptions against hackers' attacks are proposed and based on the two assumptions time feature of alerts can be handled.(2)Propose an alert correlation algorithm based on IP relation.First typical characteristics of multi-step attacks are summarized,which points out that time sequence is one of the connections between alerts.In addition,an IP relation learned from another paper is modified to fit for the reconstruction of attack scenarios.(3)Perform experiments on aggregation algorithm and correlation algorithm.According to the result of experiments,scheme of this article can efficiently reconstruct the attack scenarios,provide analysis from both macro and micro view of the network security,and somewhat reveal the false negatives of IDS.