A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property

Feng Xuewei; Wang Dongxia; Huang Minhuan; Li Jin

doi:10.7544/issn1000-1239.2014.20130854

Journal of Computer Research and Development > 2014 > 51(11): 2493-2504. > DOI: 10.7544/issn1000-1239.2014.20130854

Feng Xuewei, Wang Dongxia, Huang Minhuan, Li Jin. A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property[J]. Journal of Computer Research and Development, 2014, 51(11): 2493-2504. DOI: 10.7544/issn1000-1239.2014.20130854

Citation:

PDF (4108 KB)

A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property

(National Key Laboratory of Science and Technology on Information System Security, Beijing Institute of System Engineering, Beijing 100101)

More Information

Published Date: October 31, 2014

Graphical Abstract

Abstract

Abstract

The processes of attackers exploiting target network facilities are always gradual in cyberspace, and multiple attack steps would be performed in order to achieve the ultimate goal. How to form the complete picture of attacks or identify the attack scenarios is one of the main challenges in many research fields, such as cyberspace security situation awareness. Alerts correlation analysis based on causal knowledge is one of the main methods of the CEP (complex event processing) technology, which is a promising way to identify the multi-step attack process and reconstruct attack scenarios. Current researches suffer from the problem of defining causal knowledge manually. In order to solve this problem, a causal knowledge mining method based on the Markov property is proposed in this paper. Firstly, the raw alert streams are clustered by address to produce alert cluster sets; then the one step transition probability matrix between different attack types in each cluster set is mined based on the Markov property, and the knowledge with the same steps is fused; finally the knowledge base is created. The experimental results show that this method is feasible.
- intrusion detection,
- alert correlation,
- causal knowledge,
- data mining,
- attack scenario

FullText(HTML)

References (0)

[1]	Zhang Runlian, Pan Zhaoxuan, Li Jinlin, Wu Xiaonian, Wei Yongzhuang. A Side Channel Attack Based on Multi-Source Data Aggregation Neural Network[J]. Journal of Computer Research and Development, 2024, 61(1): 261-270. DOI: 10.7544/issn1000-1239.202220172
[2]	Li Yang, Ma Ziqiang, Lin Jingqiang, Meng Lingjia, Li Bingyu, Miao Li, Gao Fei. Survey of Transient Execution Attacks[J]. Journal of Computer Research and Development. DOI: 10.7544/issn1000-1239.202440167
[3]	Shi Cunhui, Hu Yaokang, Feng Bin, Zhang Jin, Yu Xiaoming, Liu Yue, Cheng Xueqi. A Hierarchical Knowledge Based Topic Recommendation Method in Public Opinion Scenario[J]. Journal of Computer Research and Development, 2021, 58(8): 1811-1819. DOI: 10.7544/issn1000-1239.2021.20190749
[4]	Wu Zhijun, Zhang Rudan, Yue Meng. A Method for Joint Detection of Attacks in Named Data Networking[J]. Journal of Computer Research and Development, 2021, 58(3): 569-582. DOI: 10.7544/issn1000-1239.2021.20200448
[5]	Wang Shuo, Tang Guangming, Wang Jianhua, Sun Yifeng, Kou Guang. Attack Scenario Construction Method Based on Causal Knowledge Net[J]. Journal of Computer Research and Development, 2018, 55(12): 2620-2636. DOI: 10.7544/issn1000-1239.2018.20160940
[6]	Fu Xiao, Xie Li. Filtering Intrusion Forensic Data Based on Attack Signatures[J]. Journal of Computer Research and Development, 2011, 48(6): 964-973.
[7]	Jia Qunlin and Zhou Baijia. Earthquake Disaster Scenario Simulation Technology[J]. Journal of Computer Research and Development, 2010, 47(6): 1038-1043.
[8]	Liu Linfeng, Jin Shan. A Clustering Control Algorithm of Wireless Sensor Networks in Low Probability Event Scenario[J]. Journal of Computer Research and Development, 2008, 45(10): 1662-1668.
[9]	Shi Jin, Lu Yin, and Xie Li. Dynamic Intrusion Response Based on Game Theory[J]. Journal of Computer Research and Development, 2008, 45(5): 747-757.
[10]	Liu Yuling, Du Ruizhong, Zhao Weidong, and Cai Hongyun. BPCRISM: A New Intrusion Scenario Building Model[J]. Journal of Computer Research and Development, 2007, 44(4): 589-597.