高级检索

    一种入侵场景构建模型——BPCRISM

    BPCRISM: A New Intrusion Scenario Building Model

    • 摘要: 就单一传统入侵检测系统而言,其异构性和自治性使得针对同一攻击行为产生的警报,在包含内容、详略程度、不确定性等方面存在很大的差异,导致大量重复性警报涌现.而这些大量、重复的警报信息不仅影响了入侵检测系统的性能,又不能体现出完整的黑客入侵过程.为了有效地分析和处理入侵警报,提出了一种入侵场景构建模型——BPCRISM,其能够利用警报的检测时间属性的接近程度将警报关联分为两大类:警报概率关联和警报因果关联,然后给出了概率关联和因果关联的算法,并从关联的警报信息中分辩出完整的黑客攻击流程和重构出入侵场景.初步实现该模型后,使用DARPA Cyber Panel Program Grand Challenge Problem Release 3.2 (GCP)入侵场景模拟器进行了测试,实验结果验证了该模型的有效性.

       

      Abstract: Intrusion detection system (IDS) is the new generation of security-safeguard technology followed firewall and data encryption. Aiming at the same attack, traditional intrusion detection system (IDS) produce a lot of the repeated alerts which have quite difference in content, emphasis and uncertainty, because of its heterogeneity and autonomy. But by analyzing these alerts, the performance of IDS is reduced and the integrated intrusion course and scenario cannot be obtained. In order to analyze and deal the alerts effectively and to rebuild the attack flow and the attack scenario, a new intrusion scenario building model—BPCRISM (based probability and causal relation intrusion scenario model) that combines probabilistic correlation with causal correlation is presented in this paper. The method of the alert relation can be divided into two major categories: probabilistic alert correlation and based causal relation alert correlation, and then algorithms of two alert correlation methods are given. The integrated intrusion course can be identified and the intrusion scenario is built from the correlation alerts. Realizing this model tentatively, experiments are performed by using DARPA Cyber Panel Program Grand Challenge Problem Release 3.2 (GCP), which is an attack scenario simulator, and the effectiveness of the model is verified. This model can solve the problems a single traditional intrusion detection system brings.

       

    /

    返回文章
    返回