ISSN 1000-1239 CN 11-1777/TP

• 信息安全 •

一种基于马尔可夫性质的因果知识挖掘方法

1. (北京系统工程研究所信息系统安全技术重点实验室 北京 100101) (brafum@yeah.net)
• 出版日期: 2014-11-01
• 基金资助:
基金项目：国家自然科学基金项目(61271252)

A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property

Feng Xuewei, Wang Dongxia, Huang Minhuan, Li Jin

1. (National Key Laboratory of Science and Technology on Information System Security, Beijing Institute of System Engineering, Beijing 100101)
• Online: 2014-11-01

Abstract: The processes of attackers exploiting target network facilities are always gradual in cyberspace, and multiple attack steps would be performed in order to achieve the ultimate goal. How to form the complete picture of attacks or identify the attack scenarios is one of the main challenges in many research fields, such as cyberspace security situation awareness. Alerts correlation analysis based on causal knowledge is one of the main methods of the CEP (complex event processing) technology, which is a promising way to identify the multi-step attack process and reconstruct attack scenarios. Current researches suffer from the problem of defining causal knowledge manually. In order to solve this problem, a causal knowledge mining method based on the Markov property is proposed in this paper. Firstly, the raw alert streams are clustered by address to produce alert cluster sets; then the one step transition probability matrix between different attack types in each cluster set is mined based on the Markov property, and the knowledge with the same steps is fused; finally the knowledge base is created. The experimental results show that this method is feasible.