Research On Intrusion Scene Reconstruction Technology Based On Alarm Confidence

With the rapid development of computer hardware and software technology,computer information technology has penetrated into all aspects of people's work and life.Computer technology has brought efficiency and convenience to people,but also brought a lot of risks to humans.In recent years,various network security incidents have emerged.Studying how to reproduce the attacker's attack process from the log data is of great significance to the analysis of network security events.Current network security equipment performs attack detection based on signature matching.The advantage of this method is that the operator can add or delete detection rules according to their needs,which is more flexible to use,but it also has the problem of high false alarm rate.Through investigation,it is found that the existing intrusion scenario reconstruction technologies and methods basically directly deal with the alarms of the security equipment.Because there are false alarms in those security devices,directly analyzing the alarms of the security device will need to process more alarms,and the existence of the false alarms will also affect the accuracy of the reconstructed attack scenario.In view of the above problems,this paper combines machine learning technology to research an intrusion scenario reconstruction technology based on alarm confidence.By calculating the confidence of the original alarm,the false alarm is deleted,thereby reducing the amount of data to be processed in the subsequent processing process.First,use machine learning technology to obtain the alarm confidence of the original alarm,and then use the accuracy of the machine learning model and the confidence of the obtained alarm to classify the original alarm.The original alarm is divided into confirmed attack and altitude according to the alarm confidence.Three types are suspected and can be directly eliminated.Next,the alarm similarity function is used to calculate the similarity between the original alarms based on the attack type of the alarm,the source IP of the alarm,and the alarm time attribute.The similarity is used to aggregate the alarms to form a super-alarm with a higher abstraction level.In the final alarm correlation part,this paper proposes a method based on alarm threat value and asset weights for super-alarm correlation.Compared with the traditional alarm correlation method based on causality,this method has the advantage of not needing to set the cause and consequence of a single attack.In the experimental part,this paper used the CNN algorithm to train three machine learning models to detect three different attacks,including XSS attacks,SQL injection attacks,PHP WebShell attacks,in which the accuracy rate of the XSS detection model is 98%,SQL injection detection model's accuracy rate is 97%,and the accuracy rate of the PHP WebShell detection model is 91%.In order to simulate the internal network environment of the enterprise,a small experimental range with a three-layer network environment was built using four virtual machines,the original attack log was obtained by simulating an attacker,and finally the intrusion scenario was reconstructed through the prototype system.The experimental results show that the reconstruction method of the intrusion scenario proposed in this paper can reconstruct the attacker's intrusion scenario.Compared with the case where no alarm is classified,the original alarms are reduced by 12% by classifying the alarms.