Study On Intrusion Intent Recognition Based On Temporal Sequence Association

With the advent of the era of global integration,the Internet has become an irreplaceable part of people's life.The convenience and popularity of the network make it the site of the crime of malicious software and cyberspace.CNCERT/CC,in the 2015 annual report on Internet network security,pointed out that compound attacks such as DDoS and APT have become mainstream.Cyber attacks are becoming more and more invisible and long-durable.Therefore,it is very important to take the response measures to defend against the attack before the attack is completed.In reality,the vast majority of cyber attacks are not isolated behaviors,but rather complex attacks that are implemented in a certain logical relationship.To detect network attack,we should put compound attack detection and the key technology of security threats in a core position,which is the key to network security situation awareness,and also one of the hotspot in research of network security.This thesis mainly focuses on the composite attack,based on the idea of interdisciplinary study of network intrusion intention recognition,designed to study complex attack event in the implementation of the intent of the belief of the changing,perception against evolution and development trend.At the same time,it can perceive attack implementation stage,a causal link mining attack and attack an end early.The contribution of this thesis can be summarized as follows:1.In view of the weak semantics and weak relation of IDS alert,a reconstruction attack scenario method is designed.First,the alert should be redundant and standardized to obtain super alert.Secondly,according to the alert happen time and IP address to the alert clustering,we get the alert class cluster,and based on all the time.Then we use time series algorithm effectively attack sequence.Taking into account the absence of the scene and the independence of the scene,the Hidden Markov Model(HMM)is introduced and the maximum likelihood attack scenario is calculated using probability.2.Since HMM cannot do probability reasoning,and generate multiple attack intention and perception attack stage,Hidden Markov Probability Reasoning Model(HMPRM)is put forward,aimed at using single optimization of Hmm output problem.First,the design transformation rules transform the Hmm model to Bayesian network.Second,use the ring belief Propagation algorithm(Loopy Blief Propagation,LBP),attack the evidence according to real time arrived,confidence level of each node in the network,get the current may attack intention and predicting the next stage attack.At last,the open dataset of DARPA2000 LLDOS1.0 is combined to verify the experiment.Experiments show that the optimization model and algorithm of this thesis effectively applied in composite attack outstanding temporal relationship and probability,can from a more macro level to understand complex attack stage of development,to advance warning of malicious attacks,for network security situational awareness and provide effective basis for network defense started.