Research On Identification And Characterization Methods Of Multi-step Network Attacks

Nowadays,network intrusion has transformed into a complex attack that involves multiple individual attacks,utilizing multiple nodes for attacks,known as multi-step network attacks.Traditional intrusion detection systems can only capture attack alert information that exists within a certain period of time,and cannot correlate and integrate the detected individual attack stages.Moreover,there are a large number of false positives in the alarm information detected by intrusion detection systems,as well as some low vulnerability attacks that may be overlooked.In addition,the process of attack occurrence is complex,and existing modeling methods cannot reflect the attack occurrence process in a fine-grained manner,lacking formal modeling and vulnerability analysis methods.In response to the above situation,this article takes multi-step network attacks as the research object,explores how to identify and prune multi-step network attack scenarios,and further uses Petri Net to formalize the identified multi-step network attack scenarios.The model is simulated to locate the risk location and establish a patch model,ultimately ensuring network security.The research content and achievement of this article mainly include the following three aspects:(1)Design and construct a pruning algorithm based on network topology diagram.This method takes the data flow in the attack scenario as input and reconstructs the multi-step network attack scenario through a pruning algorithm based on the network topology graph.Firstly,define the relevant attributes of data flow quintuples,topology graph nodes,and directed edges,and use these quintuple information to formally represent the initial network topology.Furthermore,based on the trained convolutional neural network model,the normal traffic is pruned for the first time,and the CTree model is used to evaluate whether the alarm data detected by the intrusion detection system is trustworthy,that is,to determine the matching between the attack type and attack mode of the alarm data.The second pruning is performed based on the matching,and the third pruning is performed through the temporal correlation between attack steps.Finally,build the topology map that is the most concise and closest to the multi-step attack scenario.Compared with existing multi-step attack scenario reconstruction methods,this method is more concise,effective,and scalable.(2)Petri Net-based fine-grained modeling approach.It is proposed to combine Petri Net with attack behavior,use the visualization characteristics and state and characteristics of Petri Net to graphically show the vulnerability exploitation process at the time of attack,assist in identifying attack vulnerabilities and key nodes,and at the same time establish the relationship between each phase of the attack process to convert each other,characterize the identified multi-step attack scenario,and realize a complete attack scenario reconstruction.By constructing the vulnerability exploitation process at the time of attack into a formal model according to the Petri net modeling rules,it facilitates the modeling and simulation analysis of the attack process.Ultra-real-time simulation is achieved by adjusting the model simulation run speed for fast attack prediction,as well as fine-grained observation of attack details and vulnerability points for analysis of attack purpose.Finally,a patch model is constructed to secure the network information.(3)Based on the methods proposed in the first two research contents,this article designs a multi-step network attack scene recognition and representation system,covering multiple functions such as data processing,recognition reconstruction,scene representation import,scene representation export,and scene representation operation,thus providing a guarantee for the visualization of multi-step network attack scene analysis.