Research On HMM Compound Attack Prediction Method Based On Alert Correlation

With the rapid development of the Internet,network security has become a global concern.The emergence of complex multi-stage attacks against companies and governments has brought new challenges to network security.The current detection system focuses on how to improve the accuracy of detection alarms,while ignoring the attacker's attack strategy and goals.The large amount of alarm data generated by the detection system not only contains the attacker's intrusion behavior information,but also implies the intruder's attack mode and intention.Merely observing the alarms without analyzing the correlation between the alarms not only loses a large amount of information contained between the alarms,but also makes the defense very passive.Therefore,how to discover the connection between the alarms and understand the intention of the attacker from the large number of alarms generated by the detection system is a problem that needs to be solved.Based on this,this paper proposes an active defense method that identifies attack intentions and predicts the next attack by restoring the attacker's attack scenario.First,in order to restore the attack scenario,after preprocessing such as format standardization and redundancy elimination of the alert.This article uses the destination IP address as the basis for the alarm grouping,and starts from the time factor of the alarm in the group to correlate the alarms generated by the intrusion detection system.For the time interval between adjacent alarms in a group,the Grubbs method is used to first calculate the average time interval between alarms and the standard deviation of the alarm interval,and then calculate the G value corresponding to the maximum alarm time interval.When the G value is greater than the set threshold Gp,the two alarms that generate the maximum time interval are the cutting points of the alarm segments,and the alarm segments belonging to the same attack scenario are generated.After the alarm fragments are generated,for all the generated alarm fragments,the alarm fragments containing the same alarm type are merged to restore the attack scene graph of the target network.Secondly,predict the attacker's attack intention and next attack plan,prepare for the next attack in advance,and fight for the defense initiative for network managers.First,a hidden Markov model is established,and the Viterbi algorithm is used to decode the attacker's attack intention.Then use the improved Forward algorithm to combine the known associated alarm fragments to calculate the probability of the attacker's next intention and the probability that the target network will issue various alarms at the next moment,sort and output these probabilities,and set the maximum probability The attack intention and type of alert are regarded as the attacker's next attack plan.Finally,an alert correlation and attack prediction system is designed,and the effectiveness of the network defense method proposed in this paper is verified through experiments.To sum up,the method proposed in this paper can find the potential attack mode in the alarm when facing the massive alarm information of the network compound attack,and better predict the attacker's next attack intention and behavior.It not only provides network administrators with a description of network compound attacks at the current moment,but also provides predictions for upcoming network attacks,and provides a certain reference for the network security situation,network defense strategies and active defense issues.