A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property
-
Graphical Abstract
-
Abstract
The processes of attackers exploiting target network facilities are always gradual in cyberspace, and multiple attack steps would be performed in order to achieve the ultimate goal. How to form the complete picture of attacks or identify the attack scenarios is one of the main challenges in many research fields, such as cyberspace security situation awareness. Alerts correlation analysis based on causal knowledge is one of the main methods of the CEP (complex event processing) technology, which is a promising way to identify the multi-step attack process and reconstruct attack scenarios. Current researches suffer from the problem of defining causal knowledge manually. In order to solve this problem, a causal knowledge mining method based on the Markov property is proposed in this paper. Firstly, the raw alert streams are clustered by address to produce alert cluster sets; then the one step transition probability matrix between different attack types in each cluster set is mined based on the Markov property, and the knowledge with the same steps is fused; finally the knowledge base is created. The experimental results show that this method is feasible.
-
-