| Under the big data environment,the multi-stage attack mode has gradually become the mainstream mode.Traditional security devices such as intrusion detection systems generate a large number of alarms and store them in the form of databases and log files,including redundant,unrelated alarms.This does not help administrators identify complex multi-stage attack scenarios and predict the next attack.In order to solve these problems,the concept of network security situation awareness has been proposed in recent years.This paper studies the methods of alarm collection and alarm correlation.(1)Adopt a rule-based method for collecting alarms from multiple data sources,define different SQL rules and capture rules for different types of data sources,match alarms in data sources with specific parameters or regular expressions,and normalize them into a unified format.This method can collect alarms from both database and local log data sources in real time.(2)An alarmt correlation method based on the combination of redundancy relationship and causal probability feature is proposed.Firstly,an aggregation method is used to compress the alarms and cluster the alarms from the same stage.Because the time-based similarity method,the suppression-based method,and the multi-feature-based aggregation method cannot identify the stage to which the attack belongs,so redundancy relationship between alarms is divided into four types: duplicate,concurrent,repeated,and similar.The alarms belonging to the same stage are aggregated by the relationship.The alarm compression rate of proposed method reaches 97.53%,which is 1.78%,2.34% and 0.86% higher than the commonly used three methods respectively.Then the causal probability feature based on correlation rule is used to correlate all stages of the same single-line attack scenario.This paper uses features such as time,IP,attack stage and alarm type to identify batch attacks and springboard attack scenarios.Finally,the method of attack prediction based on causality probability is used to calculate the possibility of predicted routes based on the stage feature of the attack.The largest three are selected as the final prediction result,and the accuracy rate reaches about 90%.(3)The DARPA 2000 data set was used to test the functions of alarm aggregation,attack stages correlation,attack prediction,and causal probability train.These methods were applied to the situational awareness system and the correlation results were simply visualized. |
PDF Full Text Request