Abstract:
In view of the problem that the existing attack scenario construction methods are not accurate due to the lack of consideration of alarm missing and alarm redundancy, a new attack scenario construction method based on causal knowledge net is put forward. The causal knowledge net is composed of causal relationship and causal knowledge. Firstly, the causal relationship of single-step attacks is defined according to the expert knowledge, and then the real alarms are utilized to mine the causal knowledge, which can be used to quantitatively describe the causal relationship. In particular, the significance testing mean is designed to guarantee the consistency and accuracy of the causal relationship as well as causal knowledge among the mining causal knowledge. Additionally, the attack scenario construction method can be divided into two different steps with the help of causal knowledge net: the initiatory attack scenario can be obtained by means of alarm mapping and clustering in the first step, and in the second step, the initiatory attack scenario is reconstructed and the intact attack scenario is achieved by taking advantage of the theory named maximum a posteriori estimation. Experimental results show that the proposed method can improve the accuracy of attack scenario construction by combining the advantages of expert knowledge and data mining.