Research On IDS Alert Log Scenario Mining Model Based On Neural Network And Bayesian Network Attack Graph

With the continuous development and innovation of Internet technology,it provides more and more related services.On the one hand,it makes everyone's life more convenient,on the other hand,it also brings various potential security issues.Similar to firewalls,intrusion detection systems(Intrusion Detection Systems,IDS),which are used to detect various types of attacks in the network,have become more and more popular as a kind of active defense technology.How to develop the identification and prediction capabilities of the IDS in a multi-step attack scenario has become a matter of close attention.So far,the intrusion detection system still has quite a lot of problems in identifying the multi-step attack scenarios launched by the attackers,including:(1).Due to the huge amount of alarm information,the attacker's attack intention cannot be quickly and effectively identified.It is impossible to predict th e various steps in the attacker's multi-step attack scenario(2).For the multi-step attack scenario recognition of the current alarm,most of them rely on the prior knowledge of the security expert,which will waste a lot of energy,and low efficiency.In response to these problems,the work in this paper is mainly in the following aspects:1.Aiming at the fact that there are a large number of false alerts in the original alarm log data of IDS,a neural network based alert false positive elimination algorithm is proposed.Based on the neural network theory,the algorithm uses the relevant characteristics of real alerts to extract the six advanced features,input into the four-layer neural network,and use the data to train,and then accurately determine whether the alarm log is correct or not.It can quickly and effectively screen out the error alerts from a large number of alert logs,laying the foundation for the next scenario mining work.2.A causal association algorithm based on Bayesian network attack graph is proposed for the correlation between IDS alert logs.Firstly,the packet aggregation operation is performed on the alerts that have been eliminated by the false positives,thereby further reducing the number of alerts.Based on the theoretical basis of the Bayesian network and the timing characteristics of the alerts,the Bayesian network attack graph is constructed to illustrate the association between each alert information.3.Aiming at the large-scale real-time alert attack scenario mining problem,the analysis of false positive elimination algorithm and causal association algorithm,using the correlation characteristics of neural network and Bayesian network attack graph,a multi-step attack scenario mining algorithm based on real-time alert is proposed.,more efficient completion of multi-step attack scenarios mining work.4.The results of the false positive elimination algorithm,the causal association algorithm and the multi-step attack scenario mining model are analyzed.The experimental results show that the multi-step attack scenario mining model based on real-time alert can effectively reconstruct the multi-step attack scenario and find out through comparison.The algorithm has better performance than the other models in the accuracy of false positives elimination and the speed of scenario mining.