一个基于复合攻击路径图的报警关联算法

南京大学学报(自然科学版) ›› 2010, Vol. 46 ›› Issue (1): 56–63.

一个基于复合攻击路径图的报警关联算法

刘志杰 , 王崇骏

出版日期:2015-03-27 发布日期:2015-03-27
作者简介: ( 南京大学计算机软件新技术国家重点实验室 , 计算机科学与技术系 , 南京 ,210093)
基金资助:
国家自然科学基金 (60807538 ,60721002 ,60503021) , 江苏省科技支撑计划 (BE2009142) , 教育部重点项目基金 (108151)

An alert correlating algorithm based on multi- step attack path graphs : MSACA

L iu Zhi - J ie , Wang Chong -J un

Online:2015-03-27 Published:2015-03-27
About author: (State Key Laboratory for Novel Software Technology ,Department of Computer Science and Technology , Nanjing University , Nanjing , 210093 , China)

摘要/Abstract

摘要： 入侵检测系统作为保护计算机系统安全的重要手段其应用越来越广泛 , 然而随之产生的大量原始报警事件也带来了新的问题 : 数量巨大、误报警多、重复报警多 , 影响了对入侵检测系统的有效利
用 . 针对此问题 , 警报关联技术成为网络安全研究的一个热点问题 , 研究者尝试对低级的报警信息进行关联 , 从而达到降低误报率的目的 . 本文提出一个基于复合攻击路径图的报警关联算法 , 使用报警信息
在攻击中所处的攻击阶段并将其关联起来构建攻击场景从而达到揭示隐藏在大量攻击事件背后的入侵真实意图 . 该模型先对报警信息进行预处理 , 匹配到知识库中对应的攻击阶段 , 然后再将攻击链接起来 ,
根据攻击路径图的权值计算对应主机的受威胁程度 , 并决定是否报警 . 该模型可以实现对报警信息的实时处理 , 并能重现攻击行为的实施路径 , 最后通过实验证明了该算法的有效性 .

Abstract: For the last years intrusion detection system ( IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act , be it reporting
to the user or taking certain actions automatically. The traditional IDS , however , is defective in that it deals with the detected abnormal activites only individually , bringing serious problems , classical ones of which include
massively false alarms and massively repeated low -level alarms. An even more serious problem of the traditional IDS is that it is not effective , if not uselell , when the many individually detected abnormal activites are correlated
components of a multi - step indepth intrusion , which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect , this paper proposes a method called MSACA(multi - step
attack correlating algorithm) . As a prerequisite of the method , a knowledge database is provided. The knowledge database composes of the structures of known multi - step correlating attack , meaning that given certain low - level
abnormal activites , through the database , we can get information regarding to what kinds of multi - step correlatingattacks the given low - level alarms may be part of as well as to which stage they belong. The proposed method firstly
gets the needed information of the low - level alarms from the database , secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole , and finally takes counter measures. The proposed
method can be implemented in realtime scenarios. This paper also proves the proposed method’s effectiveness by experiments.

刘志杰 , 王崇骏. 一个基于复合攻击路径图的报警关联算法

[J]. 南京大学学报(自然科学版), 2010, 46(1): 56–63.

L iu Zhi - J ie , Wang Chong -J un . An alert correlating algorithm based on multi- step attack path graphs : MSACA

[J]. Journal of Nanjing University(Natural Sciences), 2010, 46(1): 56–63.

参考文献

[ 1 ] 　 Anderson J P. Computer security threat moni -toring and surveillance. Technical Report. Fort Washington , Pennsylvania : 1980.
[ 2 ] 　 Debar H , Wespi A. Aggregation and correla -tion of Intrusion Detection Alerts. Proceedings of the 4 th International Symposium on Recent Advances in Intrusion Detection ( RAID ) , 2001 , 2212 : 85 ～ 103.
[ 3 ] 　 Dain O , Cunningham R. Building scenarios from a heterogeneous alert system. Proceedings of the 2001 IEEE Workshop on Information As -surance and Security , 2001 , 231 ～ 235.
[ 4 ] 　 Porras P A , Neumann P G. EMERALD: Event monitoring enabling responses to anomalous live disturbances. Proceedings of the 20 th National Information Systems Security Conference , 1997 , 353 ～ 363
[ 5 ] 　 Valdes A , Skinner K. Probabilistic alert corre -ation. Proceedings of the 4 th International Sym -posium on Recent Advances in Intrusion Detec -ion , 2001 , 2212 : 54 ～ 68.
[ 6 ] 　 Cuppens F , Mieqe A. Alert correlation in coop -erative intrusion detection framework. Proceed -ings of the 2002 IEEE Symposium on Security and Privacy , 2002 , 202 ～ 215.
[ 7 ] 　 Cuppens F , Autrel F , Miege A , et al . Recog -nizing malicious intention in an intrusion detec -tion process. Proceedings of the -nd Internation -al Conference on Hybrid Intelligent Systems , 2002 , 806 ～ 817.
[ 8 ] 　 Ning P , Cui Y, Reeves D S. Constructing at - tack scenarios through correlation of intrusion alerts. Proceedings of the 9 th ACM Conference on Computer and Communications Security , 2002 , 245 ～ 254.
[ 9 ] 　 Ning P , Xu D B , Christopher G, et al . Build -ng attack scenarios through integration of com -plementary alert correlation methods. Proceed -ings of the 11 th Annual Network and Distributed System Security Symposium , 2004 , 97 ～ 111.
[10] 　 Ning P , Cui Y, Reeves D S , et al . Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Securi -ty , 2004 , 7(2) : 274 ～ 318.
[11] 　 Huang M Y, Wicks T M. A large -scale distrib-uted intrusion detection framework based on at-tack strategy analysis. The International Journal of Computer and Telecommunications Networ -king , 1999 , 2465 ～ 2475.
[12] 　 Bao X H , Dai Y X, Feng P H , et al . A detec -tion and forecase algorithm for multi -step attack based on intrusion intention. Journal of Soft -ware , 2005 , 16(12) : 2132 ～ 2138. ( 鲍旭华 , 戴
英侠 , 冯萍慧等 . 基于入侵意图的复合攻击检测和预测算法 , 软件学报 , 2005 , 16 (212) : 2132 ～ 2138) .
[13] 　 MIT Lincoln Lab. 2000 DARPA intrusion de -tection scenario specific datasets. http :/ / www. ll. mit. edu/ IST/ ideval/ data/ 2000/ 2000 - data - index. html , 2000.
[14] 　 Long J , Yin J P , Zhu E , et al . Cost- sensitive active learning algorithm for intrusion detection. Journal of Nanjing University ( Natural Sci -ences) , 2008 , 44(5) : 527 ～ 535. ( 龙　军 , 殷建
平 , 祝　恩等 . 针对入侵检测的代价敏感主动学习算法 . 南京大学学报 ( 自然科学 ) , 2008 , 44(5) : 527 ～ 535) .

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed