Research On Attack Scenario Reconstuction Method Based On Causal Knowledge Discovery

Since 1990 s,the Intrusion Detection System(IDS)has evolved,and its purpose is to supplement the firewall,real-time monitor safety violation of computer system.It triggers an alert or takes the active actions to protect network security when a security threat is detected.The attack launched by the attacker will leave traces in the IDS alerts,so that the attacker's similarity in the attack behavior can be displayed through the alerts generated by IDS.Therefore,the alarm information can be combined to find the complex multi-step attack mode,which can achieve the purpose of building the attack scene to master the invasion,and then can provide the basis for detecting multi-step attacks in the real-time.A method of discovering multi-step attack patterns from alert data was studied to discover the attack pattern and construct the attack scene from the Low-level,decentralized alerts.Current researches suffer from the problem that causal knowledge is complex and difficult to understand and it is difficult to automatically acquire.This paper proposes an attack scenario reconstruction method based on causal knowledge discovery.The main contents of the method focused on following aspects:Firstly,according to the process of KDD,it is clear that the business object is the alerts in IDS and the purpose of this method is to analyze the multi-step attack mode and reconstruct the attack scene.Secondly,we standardize the data format and construct the sequence set for attack scenes through the correlation degree of IP attributes among alerts to ensure that the alerts belonging to the same attack scenario is clustered to the same attack scene sequence as much as possible.Thirdly,time series modeling is adopted to eliminate the false positives and simplify the attack scene sequence.Finally,the statistical association between different alarm types is found by using the probability statistical method.We also give the corresponding algorithm and the graphical representation of knowledge.The accuracy of the causal knowledge improved greatly,because this method does not need to rely on a large number of prior experience and configure a large number of parameters.And the IP-related analysis and the algorithm for reducing false positives were carried out before mining causal relationship.The validity and usability of the method are verified by experimenting on the DARPA2000 intrusion scenario data sets,which is a classic intrusion scenario data sets.