ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2014, Vol. 51 ›› Issue (11): 2493-2504.doi: 10.7544/issn1000-1239.2014.20130854

Previous Articles     Next Articles

A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property

Feng Xuewei, Wang Dongxia, Huang Minhuan, Li Jin   

  1. (National Key Laboratory of Science and Technology on Information System Security, Beijing Institute of System Engineering, Beijing 100101)
  • Online:2014-11-01

Abstract: The processes of attackers exploiting target network facilities are always gradual in cyberspace, and multiple attack steps would be performed in order to achieve the ultimate goal. How to form the complete picture of attacks or identify the attack scenarios is one of the main challenges in many research fields, such as cyberspace security situation awareness. Alerts correlation analysis based on causal knowledge is one of the main methods of the CEP (complex event processing) technology, which is a promising way to identify the multi-step attack process and reconstruct attack scenarios. Current researches suffer from the problem of defining causal knowledge manually. In order to solve this problem, a causal knowledge mining method based on the Markov property is proposed in this paper. Firstly, the raw alert streams are clustered by address to produce alert cluster sets; then the one step transition probability matrix between different attack types in each cluster set is mined based on the Markov property, and the knowledge with the same steps is fused; finally the knowledge base is created. The experimental results show that this method is feasible.

Key words: intrusion detection, alert correlation, causal knowledge, data mining, attack scenario

CLC Number: