采用攻击策略图的实时警报综合分析方法

doi:10.3969/j.issn.1001-2400.2014.05.015

Abstract

Abstract:

The causal relation based alert correlation approach causes split scenario graphs and cannot process massive alerts in time. To address this issue, a comprehensive analysis approach of real-time alerts with attack strategy graphs is proposed. First, it gets rid of the splitting of the attack scenario graph by introducing hypothesizing alerts to the alert correlation process. Second, it leverages a novel sliding window mechanism, which maintains a window for each type of attacks and determines the window's size according to both the time and number of the alerts. This new mechanism only introduces linear time complexity without sacrificing effectiveness. Third, the approach is extended to a comprehensive system to reconstruct attack scenarios, predict future alerts and fuse analytical results. Evaluation results indicate that our approach is effective and efficient.

Key words: intrusion detection systems, intrusion analysis, correlation analysis, attack scenarios

CLC Number:

TP309

LI Longying;LI Jinku;MA Jianfeng;JIANG Qi. Comprehensive analysis of real-time alerts with attack strategy graphs[J].J4, 2014, 41(5): 84-90.

References

［1］ Ning P, Cui Y, Reeves D S. Analyzing Intensive Intrusion Alerts via Correlation［C］//Proceedings of International Symposium on Recent Advances in Intrusion Detection. Stevenage: Springer Verlang, 2002: 74-94.
［2］ Ning P, Cui Y, Reeves D S. Constructing Attack Scenarios through Correlation of Intrusion Alerts［C］//Proceedings of the 9th ACM Conference on Computer and Communications Security. Washington: ACM, 2002: 245-254.
［3］ Ahmadinejad S H, Jalili S, Abadi M. A Hybrid Model for Correlating Alerts of Known and Unknown Attack Scenarios and Updating Attack Graphs［J］. Computer Networks, 2011, 55(9): 2221-2240.
［4］ Ning P, Xu D, Healey C G, et al. Building Attack Scenarios through Integration of Complementary Alert Correlation Methods［C］//11th Annual Network and Distributed System Security Symposium. Stevenage: Springer, 2004: 97-111.
［5］ Ning P, Xu D. Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation［R/OL］. ［2013-05-19］. discovery.csc.ncsu.edu/～pning/pubs/footcorldation.pdf.
［6］ Valeur F, Vigna G, Kruegel C, et al. A Comprehensive Approach to Intrusion Detection Alert Correlation［J］. IEEE Transactions on Dependable and Secure Computing, 2004, 1(3): 146-169.
［7］ Wang L, Liu A, Jajodia S. Using Attack Graphs for Correlating, Hypothesizing, and Predicting Intrusion Alerts［J］. Journal of Computer Communications, 2006, 29(15): 2917-2933.
［8］ Zali Z, Hashemi M R, Saidi H. Real-Time Attack Scenario Detection via Intrusion Detection Alert Correlation［C］//Proceedings of the 9th International ISC Conference on Information Security and Cryptology. Piscataway: IEEE, 2012: 95-102.
［9］杨洁, 刘聪锋. 模式匹配与校验和相结合的IP协议识别方法［J］. 西安电子科技大学学报, 2012, 39(3): 149-153.
Yang Jie, Liu Congfeng. IP Protocol Identification Method Using the Pattern Match and Check Sum ［J］. Journal of Xidian University, 2012, 39(3): 149-153.
［10］林晖, 马建峰. 无线 Mesh网络中基于跨层信誉机制的安全路由协议［J］. 西安电子科技大学学报, 2014, 41(1): 145-153.
Lin Hui, Ma Jianfeng. Cross Layer Reputation Mechanism based Secure Routing Protocol for WMNs ［J］. Journal of Xidian University, 2014, 41(1): 145-153.

[1]	FENG Dengguo. On the significance and function of the Xiao-Massey theorem [J]. Journal of Xidian University, 2021, 48(1): 7-13.
[2]	QI Xiaogang,HU Qiuqiu,YAO Xuqing,LIU Lifang. Efficient alarm analysis approach for communication networks [J]. Journal of Xidian University, 2019, 46(4): 1-8.
[3]	ZHAO Jing;LI Xinghua;XUE Feijie;MA Jianfeng. Wireless network access selection method with the non-cooperative game [J]. J4, 2014, 41(5): 98-104.
[4]	WANG Lei;SHI Ya;JI Hongbing. Specific radar emitter identification using multiset canonical correlation analysis [J]. J4, 2013, 40(2): 164-171.
[5]	CHEN Chang-hong;ZHAO Heng;LIANG Ji-min;JIAO Li-cheng. Influence of feature selection on FHMM [J]. J4, 2010, 37(5): 934-940.
[6]	LI Tong-yan; LI Xing-ming. An efficient method for association rules mined in telecommunication alarm correlation analysis [J]. J4, 2007, 34(7): 39-42.

Comprehensive analysis of real-time alerts with attack strategy graphs

PDF (PC)

Like

Knowledge

Cited

Abstract

Cite this article

share this article

References

Related Articles 6

Metrics

Comments

Recommended 10