BPCRISM: A New Intrusion Scenario Building Model

Intrusion detection system (IDS) is the new generation of security-safeguard technology followed firewall and data encryption. Aiming at the same attack, traditional intrusion detection system (IDS) produce a lot of the repeated alerts which have quite difference in content, emphasis and uncertainty, because of its heterogeneity and autonomy. But by analyzing these alerts, the performance of IDS is reduced and the integrated intrusion course and scenario cannot be obtained. In order to analyze and deal the alerts effectively and to rebuild the attack flow and the attack scenario, a new intrusion scenario building model—BPCRISM (based probability and causal relation intrusion scenario model) that combines probabilistic correlation with causal correlation is presented in this paper. The method of the alert relation can be divided into two major categories: probabilistic alert correlation and based causal relation alert correlation, and then algorithms of two alert correlation methods are given. The integrated intrusion course can be identified and the intrusion scenario is built from the correlation alerts. Realizing this model tentatively, experiments are performed by using DARPA Cyber Panel Program Grand Challenge Problem Release 3.2 (GCP), which is an attack scenario simulator, and the effectiveness of the model is verified. This model can solve the problems a single traditional intrusion detection system brings.