Inferring Attack Intent Based On Multi-Source Data Association Analysis

With the development of network technology,the scale of intrusion is getting larger and larger,the means and technology of intrusion are constantly evolving,and the initiators of intrusion and the objects of intrusion are becoming more and more distributed.It is difficult for us to learn the intruder's attack intention directly through traditional network security solutions.In terms of how to effectively identify the intruder's attack intention,this thesis will focus on the actual situation of CERNET(China Education and Research Network)and conduct in-depth analysis on this issue.Through research and design forensic collection,communication activity identification,and tracking result fusion.Such schemes provide powerful evidence for security analysts to infer attack intentions.In the aspect of forensic collection,this thesis implements a forensic collection scheme for multiple tracking tasks.The scheme first completes the lifecycle management of the tracking task.Then,the producer-consumer-based message collection and separation scheme is designed to decouple the message collection and message separation.The packet collection module uses the PF_RING ZC high-speed packet capture tool to capture the packets on the network card and collects and stores the traffic periodically in the local disk file.The packet separation module periodically reports the disk according to the collection rules of the tracking task.The files are separated offline.In the aspect of communication activity identification,this thesis designs and implements a communication activity identification scheme based on application layer protocol analysis.The scheme is based on offline packet detection.Firstly,the intrusion detection software Suricata and the protocol analysis system Bro are used to complete the detection of the communication message,and then the alarm log and the protocol activity log are separately processed.The processing content of the alarm log includes alarm filtering and format.Unified,alarm information storage,etc.,the processing content of the protocol activity log includes information enrichment,protocol activity information storage,and so on.In the aspect of tracking result fusion,this thesis designs and implements a tracking result generation scheme based on data fusion.The scheme first acquires relevant data located on different nodes by designing an application call interface;then preprocessing the data to extract valuable information for subsequent fusion;then tracking IP and pair from two dimensions of time and space The two perspectives of the IP are respectively fused to the pre-processed multi-source heterogeneous data to generate a tracking result describing the intruder attack process from multiple angles.Finally,the Echarts tool and the BootStrap framework are used to display the fusion result in the user interface.In the aspect of scheme verification,this thesis separately conducts experiments and analysis for each solution.The experimental results show that the attack intention inference function designed and implemented in this thesis effectively guarantees the timeliness and accuracy of security incident response.