Netinfo Security ›› 2020, Vol. 20 ›› Issue (7): 1-10.doi: 10.3969/j.issn.1671-1122.2020.07.001

Previous Articles     Next Articles

Context-based Attack Scenario Reconstruction Model for IDS Alarms

JIANG Nan1,2,3(), CUI Yaohui1, WANG Jian4,5, WU Jinchao1   

  1. 1. Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China
    2. Beijing Key Laboratory of Trusted Computing, Beijing 100124, China
    3. National Engineering Laboratory for Critical Technologies of Information Security Classified Protection, Beijing 100124, China
    4. Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing 100044, China
    5. School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China
  • Received:2020-05-15 Online:2020-07-10 Published:2020-08-13
  • Contact: Nan JIANG E-mail:jiangnan@bjut.edu.cn

Abstract:

Intrusion detection system(IDS) is a key component of the network security defense strategy. However, under the background of huge and complicated network environment and the increasing scale of network attacks, there are many problems in IDS, such as poor readability caused by large number of alarms, which greatly reduces the usability of IDS. This paper proposes an attack scenario reconstruction method for IDS real alarm data streams. From the perspective of attackers, a complete multi-step attack behavior is defined as an attack event, which creatively separates the parallel events in the alarm stream with the mechanism of dynamic time window supplemented by similarity judgment of alarm context features, and decomposes the attack in the event by extracting the attack path displayed in the IP layer, and further obtain the attack type conversion sequence of the attacker on each path for causality knowledge mining thus intuitively displays the attacker’s multi-step attack scenario. The experimental results show that it can completely capture the attack events in the alarm data stream, and display the multi-step attack behavior accurately and intuitively, which effectively improves the actual application experience of IDS.

Key words: intrusion detection system, alert analysis, attack scenario reconstruction, causal knowledge mining

CLC Number: