Advanced Search
    Feng Xuewei, Wang Dongxia, Huang Minhuan, Li Jin. A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property[J]. Journal of Computer Research and Development, 2014, 51(11): 2493-2504. DOI: 10.7544/issn1000-1239.2014.20130854
    Citation: Feng Xuewei, Wang Dongxia, Huang Minhuan, Li Jin. A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property[J]. Journal of Computer Research and Development, 2014, 51(11): 2493-2504. DOI: 10.7544/issn1000-1239.2014.20130854

    A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property

    • The processes of attackers exploiting target network facilities are always gradual in cyberspace, and multiple attack steps would be performed in order to achieve the ultimate goal. How to form the complete picture of attacks or identify the attack scenarios is one of the main challenges in many research fields, such as cyberspace security situation awareness. Alerts correlation analysis based on causal knowledge is one of the main methods of the CEP (complex event processing) technology, which is a promising way to identify the multi-step attack process and reconstruct attack scenarios. Current researches suffer from the problem of defining causal knowledge manually. In order to solve this problem, a causal knowledge mining method based on the Markov property is proposed in this paper. Firstly, the raw alert streams are clustered by address to produce alert cluster sets; then the one step transition probability matrix between different attack types in each cluster set is mined based on the Markov property, and the knowledge with the same steps is fused; finally the knowledge base is created. The experimental results show that this method is feasible.
    • loading

    Catalog

      Turn off MathJax
      Article Contents

      /

      DownLoad:  Full-Size Img  PowerPoint
      Return
      Return